Date: Mon, 20 Jun 2011 10:19:58 +0200 From: Frank Dittrich <frank_dittrich@...mail.com> To: john-dev@...ts.openwall.com Subject: Re: Either my test script is b0rken or BF has an 8-bit bug Am 20.06.2011 01:08, schrieb Solar Designer: > > Now I am wondering how Authen::Passphrase avoided the bug (IIRC, it used > my code from crypt_blowfish), and why I am getting different hashes for > 8-bit chars produced by crypt() in Perl on Owl (which uses crypt_blowfish > in glibc on Owl). I'll need to investigate that. If crypt_blowfish has > the bug too, and it looks like it does, that's pretty bad, because it > means we have incorrect (incompatible with OpenBSD's) hashes in the wild > as well. There are (or were) other incorrect hashes in the wild as well, see http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2010-02/msg00005.html Gawker used this broken implementation, which replaced all non-ascii characters with question marks prior to hashing. Frank
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.