> Ted Unangst wrote:
> > Jeremy Evans wrote:
> > > As an aside, crypt("passwd", "$2") returns ":" instead of NULL. I'm not
> > > sure if that's a security issue, but I think it is and we should fix it.
> > > I'll see if I can get a patch for that and send it to tech@.
> >
> > This is a weird edge case where niels decided to make bcrypt() work
> > differently than crypt(). i don't really know why. I think null is the safer
> > return, and we should probably switch. we don't have code that looks for ":"
> > (and certainly no third party code ever does), but there is code that checks
> > for null.
> >
>
> like this.
>
>
> Index: bcrypt.c
> ===================================================================
> RCS file: /cvs/src/lib/libc/crypt/bcrypt.c,v
> retrieving revision 1.52
> diff -u -p -r1.52 bcrypt.c
> --- bcrypt.c 28 Jan 2015 23:33:52 -0000 1.52
> +++ bcrypt.c 18 Jul 2015 00:29:34 -0000
> @@ -385,12 +385,9 @@ char *
> bcrypt(const char *pass, const char *salt)
> {
> static char gencrypted[BCRYPT_HASHSPACE];
> - static char gerror[2];
>
> - /* How do I handle errors ? Return ':' */
> - strlcpy(gerror, ":", sizeof(gerror));
> if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0)
> - return gerror;
> + return NULL;
>
> return gencrypted;
> }
This feels so much safer....
