From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9748
Path: news.gmane.org!not-for-mail
From: Solar Designer <solar@openwall.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: [PATCH] crypt_blowfish: allow short salt strings
Date: Sun, 27 Mar 2016 18:22:16 +0300
Message-ID: <20160327152216.GA31328@openwall.com>
References: <1458907955-8698-1-git-send-email-timo.teras@iki.fi> <20160327021121.GA28942@openwall.com> <20160327025404.GA29124@openwall.com>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1459092154 16653 80.91.229.3 (27 Mar 2016 15:22:34 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 27 Mar 2016 15:22:34 +0000 (UTC)
Cc: Timo Teras <timo.teras@iki.fi>
To: musl@lists.openwall.com
Original-X-From: musl-return-9761-gllmg-musl=m.gmane.org@lists.openwall.com Sun Mar 27 17:22:26 2016
Return-path: <musl-return-9761-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-9761-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1akCWG-0004NT-KW
	for gllmg-musl@m.gmane.org; Sun, 27 Mar 2016 17:22:24 +0200
Original-Received: (qmail 10166 invoked by uid 550); 27 Mar 2016 15:22:21 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Original-Received: (qmail 10143 invoked from network); 27 Mar 2016 15:22:21 -0000
Content-Disposition: inline
In-Reply-To: <20160327025404.GA29124@openwall.com>
User-Agent: Mutt/1.4.2.3i
Xref: news.gmane.org gmane.linux.lib.musl.general:9748
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/9748>

On Sun, Mar 27, 2016 at 05:54:04AM +0300, Solar Designer wrote:
> I found that PHP's hack was introduced in commit:
> 
> commit 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9
> Author: Pierre Joye <pajoye@php.net>
> Date:   Mon Jul 18 21:26:29 2011 +0000
> 
>     - update blowfish to 1.2 (Solar Designer)
> 
> $ git show 03315d9625dc87515f1dfbf1cc7d53c4451b5ec9 | fgrep -i hack
> +       if (tmp == '$') break; /* PHP hack */ \
> +       while (dptr < end) /* PHP hack */

Correction: this commit merely documented the hack with those comments,
but the hack itself was in there before.

I just brought the issue up on the PHP internals list:

http://news.php.net/php.internals/91969

A sub-issue is that the padding appears to vary between PHP versions or
builds: some pad with zero bits, and some (5.4.x only?) with '$' signs.

Alexander