php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #8839 Blowfish encryption not "correct"
Submitted: 2001-01-22 10:08 UTC Modified: 2001-04-09 19:59 UTC
From: colin at easydns dot com Assigned: derick (profile)
Status: Closed Package: mcrypt related
PHP Version: 4.0 Latest CVS (22/01/2001) OS: RH 7.0
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: colin at easydns dot com
New email:
PHP Version: OS:

 

 [2001-01-22 10:08 UTC] colin at easydns dot com
The way PHP encrypts using Blowfish doesn't seem to be compatible with the published "standard" test cases.

I've mentioned this to the author of libmcrypt, and he fixed part of the problem (see the CVS verions of libmcrypt, or whatever comes after 2.4.8).  This adds a "blowfish-compat" mode which solves some endianness issues.

However, PHP still isn't compatible with Perl's Crypt::Blowfish, nor (I imagine) with any other software that uses Blowfish encryption.  Also, the 2.2.x and 2.4.x functions in PHP, when passed the same parameters, don't generate the same encrypted strings.

Here are links to three files: the test vectors from http://www.counterpane.com/vectors.txt, test scripts using 2.2.x functions and one using 2.4.x functions, with and without long key handling.

    http://devel.easydns.com/~cmv/

All scripts generate some different results than the test vectors.  The closest to getting them all right, is the 2.4.x script that emulates Perl keys.  However, it still gives the "wrong" answer for one test case.

- Colin

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-01-22 10:11 UTC] derick@php.net
I'll take care of it as discussed with Colin and Sascha
 [2001-01-23 12:12 UTC] cmv@php.net
Just got notice that libmcrypt 2.4.9-beta has been released, and in this version they have swapped the meaning of "blowfish" and "blowfish-compat" mode.

So, if you try the test scripts I posted on your own server running 2.4.9-beta, then change "blowfish-compat" back to "blowfish".

- Colin
 [2001-04-09 19:59 UTC] derick@php.net
Fixed in CVS
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 09:01:29 2024 UTC