Hi tech@
While reading htpasswd and htpasswd handling in httpd I noticed that both use
different APIs to handle encrypting/decrypting the passwords.
- htpasswd uses the bcrypt API
- httpd uses the new crypt API
The documentation for bcrypt states:
These functions are deprecated in favor of crypt_checkpass(3) and
crypt_newhash(3).
I'm attaching a diff moving htpasswd to the new API. Tested with httpd from
6.1 with a htpasswd generated with the diff applied on current.
Feedback? OK's?
Regards,
Adam
? htpasswd
Index: htpasswd.c
===================================================================
RCS file: /cvs/src/usr.bin/htpasswd/htpasswd.c,v
retrieving revision 1.15
diff -u -p -r1.15 htpasswd.c
--- htpasswd.c 5 Nov 2015 20:07:15 -0000 1.15
+++ htpasswd.c 6 Jun 2017 17:26:31 -0000
@@ -47,7 +47,7 @@ int nagcount;
int
main(int argc, char** argv)
{
- char salt[_PASSWORD_LEN], tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")];
+ char tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")];
char hash[_PASSWORD_LEN], pass[1024], pass2[1024];
char *line = NULL, *login = NULL, *tok;
int c, fd, loginlen, batch = 0;
@@ -133,10 +133,8 @@ main(int argc, char** argv)
explicit_bzero(pass2, sizeof(pass2));
}
- if (strlcpy(salt, bcrypt_gensalt(8), sizeof(salt)) >= sizeof(salt))
- errx(1, "salt too long");
- if (strlcpy(hash, bcrypt(pass, salt), sizeof(hash)) >= sizeof(hash))
- errx(1, "hash too long");
+ if (crypt_newhash(pass, "bcrypt,8", hash, sizeof(hash)) != 0)
+ err(1, "can't generate hash");
explicit_bzero(pass, sizeof(pass));
if (file == NULL)
