Hi Yann,
Author: ylavic
Date: Tue Dec 13 08:39:51 2016
New Revision: 1773931
URL: http://svn.apache.org/viewvc?rev=1773931&view=rev
Log:
Merge r1773929 from trunk, follow up to r1772979.
apr_crypto: blowfish: follow up to r1772803: also cap hash verification time.
Modified:
apr/apr-util/branches/1.6.x/ (props changed)
apr/apr-util/branches/1.6.x/crypto/ (props changed)
apr/apr-util/branches/1.6.x/crypto/crypt_blowfish.c
...
Modified: apr/apr-util/branches/1.6.x/crypto/crypt_blowfish.c
URL:
http://svn.apache.org/viewvc/apr/apr-util/branches/1.6.x/crypto/crypt_blowfish.c?rev=1773931&r1=1773930&r2=1773931&view=diff
==============================================================================
--- apr/apr-util/branches/1.6.x/crypto/crypt_blowfish.c (original)
+++ apr/apr-util/branches/1.6.x/crypto/crypt_blowfish.c Tue Dec 13 08:39:51 2016
@@ -684,7 +684,8 @@ static char *BF_crypt(const char *key, c
}
count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
- if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) {
+ if (count < min || count > 17 ||
+ BF_decode(data.binary.salt, &setting[7], 16)) {
__set_errno(EINVAL);
return NULL;
}
This makes testpass fail.
testpass : -Line 36: bcrypt encode password (720022): The
device does not recognize the command.
Reverting makes it work again. I assume r1773929 in trunk also.
Regards,
Gregg
