Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260603013119.GF27423@brightrain.aerifal.cx>
Date: Tue, 2 Jun 2026 21:31:19 -0400
From: Rich Felker <dalias@...c.org>
To: Thorsten Glaser <tg@...bsd.de>
Cc: musl@...ts.openwall.com
Subject: Re: musl crypt() fallback to DES for unknown hash algorithm

On Wed, Jun 03, 2026 at 12:40:58AM +0200, Thorsten Glaser wrote:
> On Tue, 2 Jun 2026, Seo Suchan wrote:
> 
> > better reject |any hash started with $ but musl doesn't about
> > crypt_r() should return error. man crypt.3 suggest it'd set errorno to
> > EINVAl and return invalid hash starting with *|
> 
> From the BSD side: yescrypt is an API misuse, the manpage clearly
> documents that the extended mode is used if the string begins with
> a dollar sign and a number.
> 
> For applications wishing to use such nōn-standard extensions:
> they should first run a known string through the crypt(3)
> function and check its return value matches expectations.
> 
> Please convey this to the busybox developers.

Yes in general, I think you want to ensure that the setting/salt
string you passed in is a prefix of what you got out. If not, it was
interpreted differently from what the caller intended.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.