On Tue, Jun 06, 2017 at 07:43:02PM +0200, Adam Wolk wrote: > Hi tech@ > > While reading htpasswd and htpasswd handling in httpd I noticed that both use > different APIs to handle encrypting/decrypting the passwords. > > - htpasswd uses the bcrypt API > - httpd uses the new crypt API > > The documentation for bcrypt states: > These functions are deprecated in favor of crypt_checkpass(3) and > crypt_newhash(3). > > I'm attaching a diff moving htpasswd to the new API. Tested with httpd from > 6.1 with a htpasswd generated with the diff applied on current. > > Feedback? OK's? > > Regards, > Adam
> ? htpasswd > Index: htpasswd.c > =================================================================== > RCS file: /cvs/src/usr.bin/htpasswd/htpasswd.c,v > retrieving revision 1.15 > diff -u -p -r1.15 htpasswd.c > --- htpasswd.c 5 Nov 2015 20:07:15 -0000 1.15 > +++ htpasswd.c 6 Jun 2017 17:26:31 -0000 > @@ -47,7 +47,7 @@ int nagcount; > int > main(int argc, char** argv) > { > - char salt[_PASSWORD_LEN], tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")]; > + char tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")]; > char hash[_PASSWORD_LEN], pass[1024], pass2[1024]; > char *line = NULL, *login = NULL, *tok; > int c, fd, loginlen, batch = 0; > @@ -133,10 +133,8 @@ main(int argc, char** argv) > explicit_bzero(pass2, sizeof(pass2)); > } > > - if (strlcpy(salt, bcrypt_gensalt(8), sizeof(salt)) >= sizeof(salt)) > - errx(1, "salt too long"); > - if (strlcpy(hash, bcrypt(pass, salt), sizeof(hash)) >= sizeof(hash)) > - errx(1, "hash too long"); > + if (crypt_newhash(pass, "bcrypt,8", hash, sizeof(hash)) != 0) > + err(1, "can't generate hash"); > explicit_bzero(pass, sizeof(pass)); > > if (file == NULL) It should be possible to use the automatic rouds, i.e: "bcrypt,a" instead of just hardcoding 8.