> Ted Unangst wrote: > > Jeremy Evans wrote: > > > As an aside, crypt("passwd", "$2") returns ":" instead of NULL. I'm not > > > sure if that's a security issue, but I think it is and we should fix it. > > > I'll see if I can get a patch for that and send it to tech@. > > > > This is a weird edge case where niels decided to make bcrypt() work > > differently than crypt(). i don't really know why. I think null is the safer > > return, and we should probably switch. we don't have code that looks for ":" > > (and certainly no third party code ever does), but there is code that checks > > for null. > > > > like this. > > > Index: bcrypt.c > =================================================================== > RCS file: /cvs/src/lib/libc/crypt/bcrypt.c,v > retrieving revision 1.52 > diff -u -p -r1.52 bcrypt.c > --- bcrypt.c 28 Jan 2015 23:33:52 -0000 1.52 > +++ bcrypt.c 18 Jul 2015 00:29:34 -0000 > @@ -385,12 +385,9 @@ char * > bcrypt(const char *pass, const char *salt) > { > static char gencrypted[BCRYPT_HASHSPACE]; > - static char gerror[2]; > > - /* How do I handle errors ? Return ':' */ > - strlcpy(gerror, ":", sizeof(gerror)); > if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0) > - return gerror; > + return NULL; > > return gencrypted; > }
This feels so much safer....