Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BLU0-SMTP112F3E2E9C2B30E9612B047FD6E0@phx.gbl>
Date: Mon, 20 Jun 2011 10:19:58 +0200
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Either my test script is b0rken or BF has an 8-bit
 bug

Am 20.06.2011 01:08, schrieb Solar Designer:
>
> Now I am wondering how Authen::Passphrase avoided the bug (IIRC, it used
> my code from crypt_blowfish), and why I am getting different hashes for
> 8-bit chars produced by crypt() in Perl on Owl (which uses crypt_blowfish
> in glibc on Owl).  I'll need to investigate that.  If crypt_blowfish has
> the bug too, and it looks like it does, that's pretty bad, because it
> means we have incorrect (incompatible with OpenBSD's) hashes in the wild
> as well.

There are (or were) other incorrect hashes in the wild as well, see
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2010-02/msg00005.html

Gawker used this broken implementation, which replaced all
non-ascii characters with question marks prior to hashing.


Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.