Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jun 2011 03:20:26 +0400
From: Solar Designer <>
Subject: Re: Either my test script is b0rken or BF has an 8-bit bug

magnum -

On Mon, Jun 20, 2011 at 03:08:52AM +0400, Solar Designer wrote:
> Now I am wondering how Authen::Passphrase avoided the bug (IIRC, it used
> my code from crypt_blowfish), and why I am getting different hashes for
> 8-bit chars produced by crypt() in Perl on Owl (which uses crypt_blowfish
> in glibc on Owl).  I'll need to investigate that.  If crypt_blowfish has
> the bug too, and it looks like it does, that's pretty bad, because it
> means we have incorrect (incompatible with OpenBSD's) hashes in the wild
> as well.  Moreover, those might be weaker than expected, as sign
> expansion in the OR operation may be overwriting key bits from other
> characters (the exact impact needs to be analyzed).  I am quite
> embarrassed of that.  I should have tested the 8-bit chars vs. OpenBSD
> myself, years ago (when I released crypt_blowfish separately from JtR).

I've just tried my Perl script on OpenBSD 4.6, invoking crypt().  It
produced the same hash as I am getting on Owl.  However, that hash is
not cracked by John, neither with nor without the fix I posted.  I'll
investigate further.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.