Hi -
I used the OpenBSD implementation of Blowfish and Bcrypt as a reference
for a Smalltalk port I made. While making the port I noticed that on
line 409 of blowfish.c [1] the OpenBSD version may differ from the
recommendation of the reference version posted at Bruce Schneier's
website [2]. The "fix", as described in [3], is to change line 409
of blowfish.c from:
temp = (temp << 8) | data[j];
to
temp = (temp << 8);
temp |= (unsigned long) data[j] & 0xff ;
I am no expert and do not know whether or not the bug mentioned in [3]
has or is corrected some place else in blowfish.c or OpenBSD. I just
spent a lot of time over the weekend looking at blowfish code and
thought it might be worth mentioning.
Thanks
Paul
[1] http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/blowfish.c
[2] http://www.schneier.com/blowfish.html
http://www.schneier.com/blowfish-download.html
[3] http://www.schneier.com/blowfish-bug.txt