On Sun, Apr 19, 2026 at 08:24:01PM +0200, Alejandro Colomar via Mutt-dev wrote:
strfcpy() ensures it creates a string. But that's not what we want. Here, we just want raw bytes in the output. It's only the input which is a string (password).strncpy(3) is quite appropriate for this specific use. It's a function that takes a C string as input, and fills a fixed-size buffer with bytes from it, zeroing the unused remainder part of the buffer. Because of this use of strncpy(3), we can remove the memset(3) calls. They're now entirely redundant. (The other branch fills the entire buffer, so it was only meaningful in the branch we're touching.)
It's early and my brain isn't fully awake. But I believe this is incorrect. The other branch only fills to MD5_DIGEST_LEN. Removing the memset() in that case, and copying the entire secret buffer, instead of secret_len, would break the algorithm.
-- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
