Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jun 2011 10:19:58 +0200
From: Frank Dittrich <>
Subject: Re: Either my test script is b0rken or BF has an 8-bit

Am 20.06.2011 01:08, schrieb Solar Designer:
> Now I am wondering how Authen::Passphrase avoided the bug (IIRC, it used
> my code from crypt_blowfish), and why I am getting different hashes for
> 8-bit chars produced by crypt() in Perl on Owl (which uses crypt_blowfish
> in glibc on Owl).  I'll need to investigate that.  If crypt_blowfish has
> the bug too, and it looks like it does, that's pretty bad, because it
> means we have incorrect (incompatible with OpenBSD's) hashes in the wild
> as well.

There are (or were) other incorrect hashes in the wild as well, see

Gawker used this broken implementation, which replaced all
non-ascii characters with question marks prior to hashing.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.