On Tue, Jun 06, 2017 at 02:20:38PM -0400, Bryan Steele wrote: > > > > - if (strlcpy(salt, bcrypt_gensalt(8), sizeof(salt)) >= sizeof(salt)) > > - errx(1, "salt too long"); > > - if (strlcpy(hash, bcrypt(pass, salt), sizeof(hash)) >= sizeof(hash)) > > - errx(1, "hash too long"); > > + if (crypt_newhash(pass, "bcrypt,8", hash, sizeof(hash)) != 0) > > + err(1, "can't generate hash"); > > explicit_bzero(pass, sizeof(pass)); > > > > if (file == NULL) > > It should be possible to use the automatic rouds, i.e: "bcrypt,a" instead > of just hardcoding 8. >
I wasn't sure about introducing that change, went the minimal changes from existing behavior. The only thing against using automatic rounds would be having them guessed on a weaker machine and used on a more powerful server - doubt though that would ever pick something below 8 rounds. Roughly, if the general consensus is to move to automatic rounds then I'm all for it. Side note, does anyone know why crypt_newhash defaults to blowfish? The docs don't mention it.