Ted Unangst wrote:
> Jeremy Evans wrote:
> > As an aside, crypt("passwd", "$2") returns ":" instead of NULL. I'm not
> > sure if that's a security issue, but I think it is and we should fix it.
> > I'll see if I can get a patch for that and send it to tech@.
>
> This is a weird edge case where niels decided to make bcrypt() work
> differently than crypt(). i don't really know why. I think null is the safer
> return, and we should probably switch. we don't have code that looks for ":"
> (and certainly no third party code ever does), but there is code that checks
> for null.
>
like this.
Index: bcrypt.c
===================================================================
RCS file: /cvs/src/lib/libc/crypt/bcrypt.c,v
retrieving revision 1.52
diff -u -p -r1.52 bcrypt.c
--- bcrypt.c 28 Jan 2015 23:33:52 -0000 1.52
+++ bcrypt.c 18 Jul 2015 00:29:34 -0000
@@ -385,12 +385,9 @@ char *
bcrypt(const char *pass, const char *salt)
{
static char gencrypted[BCRYPT_HASHSPACE];
- static char gerror[2];
- /* How do I handle errors ? Return ':' */
- strlcpy(gerror, ":", sizeof(gerror));
if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0)
- return gerror;
+ return NULL;
return gencrypted;
}
