Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 27 Mar 2016 18:22:16 +0300
From: Solar Designer <>
Cc: Timo Teras <>
Subject: Re: [PATCH] crypt_blowfish: allow short salt strings

On Sun, Mar 27, 2016 at 05:54:04AM +0300, Solar Designer wrote:
> I found that PHP's hack was introduced in commit:
> commit 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9
> Author: Pierre Joye <>
> Date:   Mon Jul 18 21:26:29 2011 +0000
>     - update blowfish to 1.2 (Solar Designer)
> $ git show 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9 | fgrep -i hack
> +       if (tmp == '$') break; /* PHP hack */ \
> +       while (dptr < end) /* PHP hack */

Correction: this commit merely documented the hack with those comments,
but the hack itself was in there before.

I just brought the issue up on the PHP internals list:

A sub-issue is that the padding appears to vary between PHP versions or
builds: some pad with zero bits, and some (5.4.x only?) with '$' signs.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.