On Tue, Jun 06, 2017 at 07:43:02PM +0200, Adam Wolk wrote:
> Hi tech@
>
> While reading htpasswd and htpasswd handling in httpd I noticed that both use
> different APIs to handle encrypting/decrypting the passwords.
>
> - htpasswd uses the bcrypt API
> - httpd uses the new crypt API
>
> The documentation for bcrypt states:
> These functions are deprecated in favor of crypt_checkpass(3) and
> crypt_newhash(3).
>
> I'm attaching a diff moving htpasswd to the new API. Tested with httpd from
> 6.1 with a htpasswd generated with the diff applied on current.
>
> Feedback? OK's?
>
> Regards,
> Adam
> ? htpasswd
> Index: htpasswd.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/htpasswd/htpasswd.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 htpasswd.c
> --- htpasswd.c 5 Nov 2015 20:07:15 -0000 1.15
> +++ htpasswd.c 6 Jun 2017 17:26:31 -0000
> @@ -47,7 +47,7 @@ int nagcount;
> int
> main(int argc, char** argv)
> {
> - char salt[_PASSWORD_LEN], tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")];
> + char tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")];
> char hash[_PASSWORD_LEN], pass[1024], pass2[1024];
> char *line = NULL, *login = NULL, *tok;
> int c, fd, loginlen, batch = 0;
> @@ -133,10 +133,8 @@ main(int argc, char** argv)
> explicit_bzero(pass2, sizeof(pass2));
> }
>
> - if (strlcpy(salt, bcrypt_gensalt(8), sizeof(salt)) >= sizeof(salt))
> - errx(1, "salt too long");
> - if (strlcpy(hash, bcrypt(pass, salt), sizeof(hash)) >= sizeof(hash))
> - errx(1, "hash too long");
> + if (crypt_newhash(pass, "bcrypt,8", hash, sizeof(hash)) != 0)
> + err(1, "can't generate hash");
> explicit_bzero(pass, sizeof(pass));
>
> if (file == NULL)
It should be possible to use the automatic rouds, i.e: "bcrypt,a" instead
of just hardcoding 8.
