Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20160327152216.GA31328@openwall.com>
Date: Sun, 27 Mar 2016 18:22:16 +0300
From: Solar Designer <solar@...nwall.com>
To: musl@...ts.openwall.com
Cc: Timo Teras <timo.teras@....fi>
Subject: Re: [PATCH] crypt_blowfish: allow short salt strings

On Sun, Mar 27, 2016 at 05:54:04AM +0300, Solar Designer wrote:
> I found that PHP's hack was introduced in commit:
> 
> commit 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9
> Author: Pierre Joye <pajoye@....net>
> Date:   Mon Jul 18 21:26:29 2011 +0000
> 
>     - update blowfish to 1.2 (Solar Designer)
> 
> $ git show 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9 | fgrep -i hack
> +       if (tmp == '$') break; /* PHP hack */ \
> +       while (dptr < end) /* PHP hack */

Correction: this commit merely documented the hack with those comments,
but the hack itself was in there before.

I just brought the issue up on the PHP internals list:

http://news.php.net/php.internals/91969

A sub-issue is that the padding appears to vary between PHP versions or
builds: some pad with zero bits, and some (5.4.x only?) with '$' signs.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.