Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260602222246.GE27423@brightrain.aerifal.cx>
Date: Tue, 2 Jun 2026 18:22:46 -0400
From: Rich Felker <dalias@...c.org>
To: Seo Suchan <tjtncks@...il.com>
Cc: musl@...ts.openwall.com
Subject: Re: musl crypt() fallback to DES for unknown hash algorithm

On Tue, Jun 02, 2026 at 10:50:00PM +0900, Seo Suchan wrote:
> I noticed busybox 1.38 added yescrypt support and assumed everything will
> support this, but as musl didn't have and it fallback every hash identifier
> it doesn't know into des, makeing des password hash salted with $y:
> 
> not sure how crypto api should work but this feels like a footgun and it'd
> better reject |any hash started with $ but musl doesn't about crypt_r()
> should return error. man crypt.3 suggest it'd set errorno to EINVAl and
> return invalid hash starting with *|

Changing it to actually return errors has been something that's been a
proposal for a long time and just hasn't happened. But fixing the
immediate problem here is orthogonal I think. The existing way we
handle 'errors' is returning an unmatchable string "*" and that could
be done right away.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.