Hello, I have discovered that bcrypt_pbkdf(3) could write out of bounds of the given key buffer in certain cases. For example, if requested keylen is 88, it will write to key[88].
The error is on line 153: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libutil/bcrypt_pbkdf.c?annotate=1.6 Here's a demo: #include <stdint.h> #include <util.h> int main(void) { uint8_t key[88]; bcrypt_pbkdf("p", 1, "s", 1, key, sizeof(key), 2); return 0; } I don't have a copy of OpenBSD handy, but on Linux this happily outputs *** stack smashing detected ***. -- Dmitry Chestnykh Coding Robots http://www.codingrobots.com
