On Mon, Apr 25, 2011 at 03:48:32PM -0400, Paul DeBruicker wrote: > on line 409 of blowfish.c [1] the OpenBSD version may > differ from the recommendation of the reference version posted at > Bruce Schneier's website [2]. [...] > I am no expert and do not know whether or not the bug mentioned in > [3] has or is corrected some place else in blowfish.c or OpenBSD.
The problem described in [3] is due to key being stored as char, which may be signed. The code in [1] uses u_int8_t which is unsigned and therefore not sign extended. So [1] does not have this problem. /usr/src/sys/crypto/blf.c is also OK. Andreas > [1] http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/blowfish.c > > [2] http://www.schneier.com/blowfish.html > http://www.schneier.com/blowfish-download.html > > [3] http://www.schneier.com/blowfish-bug.txt