should support $2y$ hash identifier.

[GoogleCodeExporter]

https://en.wikipedia.org/wiki/Crypt_(C)#Blowfish-based_scheme
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2483

Original issue reported on code.google.com by nerd...@gmail.com on 3 Dec 2013 at 8:49

[GoogleCodeExporter]

Current versions of PHP use $2y$ identifier, making this (otherwise excellent) 
library incompatible in certain client-server architectures.

Original comment by e...@eventless.com on 5 Feb 2014 at 12:28

[GoogleCodeExporter]

$2y$ is actually precisely equivalent to the implementation of $2a$ in the 
current jBCrypt except for the name. However, I've implemented a version of 2x, 
2y, 2b, and 2a equivalent to the reference crypt_blowfish.c implementation 
v1.3. See also http://www.openwall.com/lists/announce/2011/07/17/1 and 
http://www.openwall.com/lists/announce/2014/08/31/1 for the upstream 
announcements.

See https://github.com/Oscil8/jBCrypt/tree/gcsvn-2y-etc (or 
https://github.com/Oscil8/jBCrypt/tree/djm-2y-etc) for step-by-step patches, or 
attached tar-ball.

Original comment by ariel.sa...@lookout.com on 22 Jan 2015 at 12:57

Attachments:

• jBCrypt-patch-2y.tar.gz

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

$2y$ no worked in this jBCrypt (generate password_hash() PHP5.5)

Original comment by KaD...@gmail.com on 2 Feb 2015 at 1:56

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

You may want to verify that you are creating the password with UTF-8 encoded 
strings -- the jBCrypt code encodes as UTF-8 when you pass in a string.

The $2y$ is actually exactly equivalent to what $2a$ was before my change 
(after the change there is a minor countermeasure added to $2a$), and is 
confirmed by passing tests from the reference crypt_blowfish implementation.

Original comment by ariel.sa...@lookout.com on 2 Feb 2015 at 11:15