According to http://www.openwall.com/lists/oss-security/2011/11/15/3,
it would be preferable to use something else than ':' when an error
is encountered.
According to crypt(3), crypt() should return NULL values on errors.
Index: src/lib/libc/crypt/bcrypt.c
===================================================================
RCS file: /cvs/src/lib/libc/crypt/bcrypt.c,v
retrieving revision 1.24
diff -u -p -r1.24 bcrypt.c
--- src/lib/libc/crypt/bcrypt.c 2 Apr 2008 19:54:05 -0000 1.24
+++ src/lib/libc/crypt/bcrypt.c 26 Feb 2012 05:19:27 -0000
@@ -70,7 +70,6 @@ static void decode_base64(u_int8_t *, u_
static char encrypted[_PASSWORD_LEN];
static char gsalt[7 + (BCRYPT_MAXSALT * 4 + 2) / 3 + 1];
-static char error[] = ":";
const static u_int8_t Base64Code[] =
"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
@@ -185,8 +184,9 @@ bcrypt(const char *key, const char *salt
salt++;
if (*salt > BCRYPT_VERSION) {
- /* How do I handle errors ? Return ':' */
- return error;
+ /* How do I handle errors ? Return NULL according to
+ crypt(3) */
+ return NULL;
}
/* Check for minor versions */
@@ -198,7 +198,7 @@ bcrypt(const char *key, const char *salt
salt++;
break;
default:
- return error;
+ return NULL;
}
} else
minor = 0;
@@ -208,21 +208,21 @@ bcrypt(const char *key, const char *salt
if (salt[2] != '$')
/* Out of sync with passwd entry */
- return error;
+ return NULL;
/* Computer power doesn't increase linear, 2^x should be fine */
n = atoi(salt);
if (n > 31 || n < 0)
- return error;
+ return NULL;
logr = (u_int8_t)n;
if ((rounds = (u_int32_t) 1 << logr) < BCRYPT_MINROUNDS)
- return error;
+ return NULL;
/* Discard num rounds + "$" identifier */
salt += 3;
if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT)
- return error;
+ return NULL;
/* We dont want the base64 salt but the raw data */
decode_base64(csalt, BCRYPT_MAXSALT, (u_int8_t *) salt);
