Ted Unangst wrote: > Jeremy Evans wrote: > > As an aside, crypt("passwd", "$2") returns ":" instead of NULL. I'm not > > sure if that's a security issue, but I think it is and we should fix it. > > I'll see if I can get a patch for that and send it to tech@. > > This is a weird edge case where niels decided to make bcrypt() work > differently than crypt(). i don't really know why. I think null is the safer > return, and we should probably switch. we don't have code that looks for ":" > (and certainly no third party code ever does), but there is code that checks > for null. >
like this. Index: bcrypt.c =================================================================== RCS file: /cvs/src/lib/libc/crypt/bcrypt.c,v retrieving revision 1.52 diff -u -p -r1.52 bcrypt.c --- bcrypt.c 28 Jan 2015 23:33:52 -0000 1.52 +++ bcrypt.c 18 Jul 2015 00:29:34 -0000 @@ -385,12 +385,9 @@ char * bcrypt(const char *pass, const char *salt) { static char gencrypted[BCRYPT_HASHSPACE]; - static char gerror[2]; - /* How do I handle errors ? Return ':' */ - strlcpy(gerror, ":", sizeof(gerror)); if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0) - return gerror; + return NULL; return gencrypted; }