On Tue, Jun 06, 2017 at 12:28:59PM -0600, Theo de Raadt wrote: > > The only thing against using automatic rounds would be having them guessed > > on a > > weaker machine and used on a more powerful server - doubt though that would > > ever > > pick something below 8 rounds. > > I don't see the concern. It has a lower bound.
Attaching the diff with rounds changed to auto, results with 9 rounds on my server.
? htpasswd Index: htpasswd.c =================================================================== RCS file: /cvs/src/usr.bin/htpasswd/htpasswd.c,v retrieving revision 1.15 diff -u -p -r1.15 htpasswd.c --- htpasswd.c 5 Nov 2015 20:07:15 -0000 1.15 +++ htpasswd.c 6 Jun 2017 18:46:39 -0000 @@ -47,7 +47,7 @@ int nagcount; int main(int argc, char** argv) { - char salt[_PASSWORD_LEN], tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")]; + char tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")]; char hash[_PASSWORD_LEN], pass[1024], pass2[1024]; char *line = NULL, *login = NULL, *tok; int c, fd, loginlen, batch = 0; @@ -133,10 +133,8 @@ main(int argc, char** argv) explicit_bzero(pass2, sizeof(pass2)); } - if (strlcpy(salt, bcrypt_gensalt(8), sizeof(salt)) >= sizeof(salt)) - errx(1, "salt too long"); - if (strlcpy(hash, bcrypt(pass, salt), sizeof(hash)) >= sizeof(hash)) - errx(1, "hash too long"); + if (crypt_newhash(pass, "bcrypt,a", hash, sizeof(hash)) != 0) + err(1, "can't generate hash"); explicit_bzero(pass, sizeof(pass)); if (file == NULL)