On 2015/07/18 01:31, Stuart Henderson wrote:
> On 2015/07/17 20:24, Ted Unangst wrote:
> > Jeremy Evans wrote:
> > > As an aside, crypt("passwd", "$2") returns ":" instead of NULL. I'm not
> > > sure if that's a security issue, but I think it is and we should fix it.
> > > I'll see if I can get a patch for that and send it to tech@.
> >
> > This is a weird edge case where niels decided to make bcrypt() work
> > differently than crypt(). i don't really know why. I think null is the safer
> > return, and we should probably switch. we don't have code that looks for ":"
> > (and certainly no third party code ever does), but there is code that checks
> > for null.
>
> Solar had some concerns about crypt returning null in the past, there's
> a thread starting at http://www.openwall.com/lists/oss-security/2011/11/15/1
> which might be worth a read.
>
ah sorry, I misread and didn't notice you were talking about changing bcrypt,
not crypt.
