FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F12.2 2016-08-10T15:16:28Z 2016-08-10T15:16:28Z Ed Schouten ed@FreeBSD.org 2016-08-10T15:16:28Z urn:sha1:5f521d7ba72145092ea23ff6081d8791ad6c1f9d glibc has a pretty nice function called crypt_r(3), which is nothing more than crypt(3), but thread-safe. It accomplishes this by introducing a 'struct crypt_data' structure that contains a buffer that is large enough to hold the resulting string. Let's go ahead and also add this function. It would be a shame if a useful function like this wouldn't be usable in multithreaded apps. Refactor crypt.c and all of the backends to no longer declare static arrays, but write their output in a provided buffer. There is no need to do any buffer length computation here, as we'll just need to ensure that 'struct crypt_data' is large enough, which it is. _PASSWORD_LEN is defined to 128 bytes, but in this case I'm picking 256, as this is going to be part of the actual ABI. Differential Revision: https://reviews.freebsd.org/D7306 2015-06-16T23:57:29Z Allan Jude allanjude@FreeBSD.org 2015-06-16T23:57:29Z urn:sha1:a3b20e50a92f92e15eaf191c1fd84f223f411043 crypt_blowfish and many implementations based on it (Apache, PHP, PostgreSQL) implemented $2y$ before OpenBSD went with $2b$. This changes marks them as equivalent. http://www.openwall.com/lists/announce/2011/07/17/1 This change is required for applications that use the base crypt() implementation (including nginx) to be able to validate $2y$ hashes Reviewed by: eadler Approved by: delphij MFC after: 1 week Relnotes: yes Sponsored by: ScaleEngine Inc. Differential Revision: https://reviews.freebsd.org/D2742 2014-05-14T00:50:31Z Xin LI delphij@FreeBSD.org 2014-05-14T00:50:31Z urn:sha1:185e05ee1a28a5fd897416874d5c71eb69198341 MFC after: 2 weeks Relnotes: default Blowfish crypt(3) format have been changed to $2b$. 2014-02-25T23:03:48Z Xin LI delphij@FreeBSD.org 2014-02-25T23:03:48Z urn:sha1:43e3038611943925a3a9560242b9218a68a8fb6f Notable changes: - Support of $2b$ password format to address a problem where very long passwords (more than 256 characters, when an integer overflow would happen and cause the length to wrap at 256). - Updated pseudo code in comments to reflect the reality. - Removed our local shortcut of processing magic string and rely on the centralized and tigntened validation. - Diff reduction from upstream. For now we are still generating the older $02a$ format of password but we will migrate to the new format once the format is formally finalized. MFC after: 1 month 2012-02-22T01:23:14Z Kevin Lo kevlo@FreeBSD.org 2012-02-22T01:23:14Z urn:sha1:19ab58bfe3daf34d714195dcbd0f91e480924f7e Discussed in: http://www.openwall.com/lists/oss-security/2011/11/15/3 2003-06-02T19:17:24Z Mark Murray markm@FreeBSD.org 2003-06-02T19:17:24Z urn:sha1:c8fa8e25d77016f36e63790f2ceccb90613ccb2e required to make crypt(3) blowfish "$2a$..." hashes. Lint and warnsify. 2002-03-06T17:18:09Z Mark Murray markm@FreeBSD.org 2002-03-06T17:18:09Z urn:sha1:f2ac424af7b980ba4d858ecfd1644ce197d6869d 2001-10-23T10:23:32Z Peter Wemm peter@FreeBSD.org 2001-10-23T10:23:32Z urn:sha1:68344a95478e7f7a30cc2d93820595aad7e7bc5b 2001-03-11T16:05:43Z Mark Murray markm@FreeBSD.org 2001-03-11T16:05:43Z urn:sha1:5c1296168babf97c51ff030872cddb7f9857474f gratuitous difference between us and our sister project. This was given to me _ages_ ago. May apologies to Paul for the length of time its taken me to commit. Obtained from: Niels Provos <provos@physnet.uni-hamburg.de>/OpenBSD Submitted by: Paul Herman <pherman@frenchfries.net>