Or, why not, another:
"If the hash size is less than the key size, multiple instances of
the hash context are created -- enough to produce the required key
data. These instances are preloaded with 0, 1, 2, ... octets of
zeros (that is to say, the first instance has no preloading, the
second gets preloaded with 1 octet of zero, the third is preloaded
with two octets of zeros, and so forth).
As the data is hashed, it is given independently to each hash
context. Since the contexts have been initialized differently, they
will each produce different hash output. Once the passphrase is
hashed, the output data from the multiple hashes is concatenated,
first hash leftmost, to produce the key data, with any excess octets
on the right discarded."
(
http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-14.txt)
Here's a discussion on the insecurity of multiple hash concatenation:
http://man.phpschool.com/manual/kr/function.md5.php. You can look at the regular php manual, but at least one of the responses has been deleted there.