Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 27 Mar 2016 05:54:04 +0300
From: Solar Designer <>
Cc: Timo Teras <>
Subject: Re: [PATCH] crypt_blowfish: allow short salt strings

On Sun, Mar 27, 2016 at 05:11:21AM +0300, Solar Designer wrote:
> On Fri, Mar 25, 2016 at 02:12:35PM +0200, Timo Ter??s wrote:
> > See:
> This looks like a script testing PHP's behavior.  I vaguely recall PHP
> relaxing the PHP-embedded crypt_blowfish code like this.  I think they
> shouldn't have.  Especially they shouldn't have done that when at the
> same time (apparently) continuing to detect and prefer the underlying
> system's bcrypt support whenever that is available.

I found that PHP's hack was introduced in commit:

commit 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9
Author: Pierre Joye <>
Date:   Mon Jul 18 21:26:29 2011 +0000

    - update blowfish to 1.2 (Solar Designer)

$ git show 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9 | fgrep -i hack
+       if (tmp == '$') break; /* PHP hack */ \
+       while (dptr < end) /* PHP hack */

I think they shouldn't have.  Perhaps someone complained at the time,
but since then this hack resulted in more incorrect PHP code written,
relying on the hack.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.