On Tue, Jun 06, 2017 at 08:49:32PM +0200, Adam Wolk wrote:
> On Tue, Jun 06, 2017 at 12:28:59PM -0600, Theo de Raadt wrote:
> > > The only thing against using automatic rounds would be having them
> > > guessed on a
> > > weaker machine and used on a more powerful server - doubt though that
> > > would ever
> > > pick something below 8 rounds.
> >
> > I don't see the concern. It has a lower bound.
>
> Attaching the diff with rounds changed to auto, results with 9 rounds on my
> server.
>
OK florian@
> ? htpasswd
> Index: htpasswd.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/htpasswd/htpasswd.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 htpasswd.c
> --- htpasswd.c 5 Nov 2015 20:07:15 -0000 1.15
> +++ htpasswd.c 6 Jun 2017 18:46:39 -0000
> @@ -47,7 +47,7 @@ int nagcount;
> int
> main(int argc, char** argv)
> {
> - char salt[_PASSWORD_LEN], tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")];
> + char tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")];
> char hash[_PASSWORD_LEN], pass[1024], pass2[1024];
> char *line = NULL, *login = NULL, *tok;
> int c, fd, loginlen, batch = 0;
> @@ -133,10 +133,8 @@ main(int argc, char** argv)
> explicit_bzero(pass2, sizeof(pass2));
> }
>
> - if (strlcpy(salt, bcrypt_gensalt(8), sizeof(salt)) >= sizeof(salt))
> - errx(1, "salt too long");
> - if (strlcpy(hash, bcrypt(pass, salt), sizeof(hash)) >= sizeof(hash))
> - errx(1, "hash too long");
> + if (crypt_newhash(pass, "bcrypt,a", hash, sizeof(hash)) != 0)
> + err(1, "can't generate hash");
> explicit_bzero(pass, sizeof(pass));
>
> if (file == NULL)
--
I'm not entirely sure you are real.
