Date: Sun, 27 Mar 2016 18:22:16 +0300 From: Solar Designer <solar@...nwall.com> To: musl@...ts.openwall.com Cc: Timo Teras <timo.teras@....fi> Subject: Re: [PATCH] crypt_blowfish: allow short salt strings On Sun, Mar 27, 2016 at 05:54:04AM +0300, Solar Designer wrote: > I found that PHP's hack was introduced in commit: > > commit 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9 > Author: Pierre Joye <pajoye@....net> > Date: Mon Jul 18 21:26:29 2011 +0000 > > - update blowfish to 1.2 (Solar Designer) > > $ git show 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9 | fgrep -i hack > + if (tmp == '$') break; /* PHP hack */ \ > + while (dptr < end) /* PHP hack */ Correction: this commit merely documented the hack with those comments, but the hack itself was in there before. I just brought the issue up on the PHP internals list: http://news.php.net/php.internals/91969 A sub-issue is that the padding appears to vary between PHP versions or builds: some pad with zero bits, and some (5.4.x only?) with '$' signs. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.