On 15:31:50, 10.06.17, Ted Unangst wrote:
> > @@ -58,17 +58,29 @@ The provided
> > .Fa password
> > is randomly salted and hashed and stored in
> > .Fa hash .
> > +.Fa hash
> > +must already be allocated, and
> > +.Fa hashsize
> > +must contain its size, which cannot be less than 61 bytes.
>
> that's an implementation detail. if we're advising a limit, i think we
> should say 128 or so.
How come? Tracing the code of crypt_newhash() we end up in
bcrypt_hashpass(), which has the following check:
if (encryptedlen < BCRYPT_HASHSPACE)
goto inval;
BCRYPT_HASHSPACE is defined thus:
libc/crypt/bcrypt.c:#define BCRYPT_HASHSPACE 61
--
Michal Mazurek
