diff options
| author | tedu <> | 2014-03-23 23:25:05 +0000 |
|---|---|---|
| committer | tedu <> | 2014-03-23 23:25:05 +0000 |
| commit | 75a2df5b85d98cf04bb9f97260b3218855103a31 (patch) | |
| tree | f357733a7666894e95937ed68ec04309ddb676e9 /src | |
| parent | 92df5d137e038f65c678cea2a951b12806496435 (diff) | |
| download | openbsd-75a2df5b85d98cf04bb9f97260b3218855103a31.tar.gz openbsd-75a2df5b85d98cf04bb9f97260b3218855103a31.tar.bz2 openbsd-75a2df5b85d98cf04bb9f97260b3218855103a31.zip | |
some improvements suggested by djm.
use better constant for salt size.
always copy ":" to gerror, in case somebody is dumb enough to overwrite it
timingsafe_bcmp before somebody whines about strcmp
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libc/crypt/bcrypt.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/lib/libc/crypt/bcrypt.c b/src/lib/libc/crypt/bcrypt.c index 7070cb7375..7d388cf2ea 100644 --- a/src/lib/libc/crypt/bcrypt.c +++ b/src/lib/libc/crypt/bcrypt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: bcrypt.c,v 1.33 2014/03/23 23:20:12 tedu Exp $ */ | 1 | /* $OpenBSD: bcrypt.c,v 1.34 2014/03/23 23:25:05 tedu Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> | 4 | * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> |
| @@ -228,7 +228,8 @@ bcrypt_checkpass(const char *pass, const char *goodhash) | |||
| 228 | 228 | ||
| 229 | if (bcrypt_hashpass(pass, goodhash, hash, sizeof(hash)) != 0) | 229 | if (bcrypt_hashpass(pass, goodhash, hash, sizeof(hash)) != 0) |
| 230 | return -1; | 230 | return -1; |
| 231 | if (strcmp(hash, goodhash) != 0) | 231 | if (strlen(hash) != strlen(goodhash) || |
| 232 | timingsafe_bcmp(hash, goodhash, strlen(goodhash)) != 0) | ||
| 232 | return -1; | 233 | return -1; |
| 233 | return 0; | 234 | return 0; |
| 234 | } | 235 | } |
| @@ -327,7 +328,7 @@ encode_base64(u_int8_t *buffer, u_int8_t *data, u_int16_t len) | |||
| 327 | char * | 328 | char * |
| 328 | bcrypt_gensalt(u_int8_t log_rounds) | 329 | bcrypt_gensalt(u_int8_t log_rounds) |
| 329 | { | 330 | { |
| 330 | static char gsalt[7 + (BCRYPT_MAXSALT * 4 + 2) / 3 + 1]; | 331 | static char gsalt[BCRYPT_SALTSPACE]; |
| 331 | 332 | ||
| 332 | bcrypt_initsalt(log_rounds, gsalt, sizeof(gsalt)); | 333 | bcrypt_initsalt(log_rounds, gsalt, sizeof(gsalt)); |
| 333 | 334 | ||
| @@ -338,9 +339,10 @@ char * | |||
| 338 | bcrypt(const char *pass, const char *salt) | 339 | bcrypt(const char *pass, const char *salt) |
| 339 | { | 340 | { |
| 340 | static char gencrypted[_PASSWORD_LEN]; | 341 | static char gencrypted[_PASSWORD_LEN]; |
| 341 | static char gerror[] = ":"; | 342 | static char gerror[2]; |
| 342 | 343 | ||
| 343 | /* How do I handle errors ? Return ':' */ | 344 | /* How do I handle errors ? Return ':' */ |
| 345 | strlcpy(gerror, ":", sizeof(gerror)); | ||
| 344 | if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0) | 346 | if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0) |
| 345 | return gerror; | 347 | return gerror; |
| 346 | 348 | ||