Fix doc bug #62414 (Out of date docs for CRYPT_BLOWFISH). I'd greatly

appreciate a review on this, since I'm not sure it's as well worded or laid out as it could be -- the one paragraph per hash convention is starting to get a little tight. git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@326725 c90b9560-bf6c-de11-be94-00142212c4b1
2025-03-15 16:38:54 +00:00 · 2012-07-20 08:39:55 +00:00 · 2012-07-20 08:39:55 +00:00 · d0223af67d
commit d0223af67d
parent 4d6ac2f940
1 changed files with 20 additions and 6 deletions
--- a/reference/strings/functions/crypt.xml
+++ b/reference/strings/functions/crypt.xml
@ -66,12 +66,19 @@
   </listitem>
   <listitem>
    <simpara>
-     <constant>CRYPT_BLOWFISH</constant> - Blowfish hashing with a salt as follows:
-     "$2a$", a two digit cost parameter, "$", and 22 digits from the alphabet
-     "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to
-     return a zero-length string. The two digit cost parameter is the base-2 logarithm of the
-     iteration count for the underlying Blowfish-based hashing algorithmeter and must be in
-     range 04-31, values outside this range will cause crypt() to fail.
+     <constant>CRYPT_BLOWFISH</constant> - Blowfish hashing with a salt as
+     follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and
+     22 digits from the alphabet "./0-9A-Za-z". Using characters outside of
+     this range in the salt will cause crypt() to return a zero-length string.
+     The two digit cost parameter is the base-2 logarithm of the iteration
+     count for the underlying Blowfish-based hashing algorithmeter and must be
+     in range 04-31, values outside this range will cause crypt() to fail.
+     Versions of PHP before 5.3.7 only support "$2a$" as the salt prefix: PHP
+     5.3.7 introduced the new prefixes to fix a security weakness in the
+     Blowfish implementation.  Please refer to
+     <link xlink:href="&url.crypt.blowfish;">this document</link> for full
+     details of the security fix, but to summarise, developers targeting only
+     PHP 5.3.7 and later should use "$2y$" in preference to "$2a$".
    </simpara>
   </listitem>
   <listitem>
@ -149,6 +156,13 @@
      </row>
     </thead>
     <tbody>
+      <row>
+       <entry>5.3.7</entry>
+       <entry>
+        Added <literal>$2x$</literal> and <literal>$2y$</literal> Blowfish
+        modes to deal with potential high-bit attacks.
+       </entry>
+      </row>
      <row>
       <entry>5.3.2</entry>
       <entry>