Re: Modern SHA2- based password hashes for pgcrypto

Am Donnerstag, dem 03.04.2025 um 20:39 +0200 schrieb Alvaro Herrera:
>
> > Maybe, in case of empty salts, we should issue a WARNING instead of
> > erroring out and put additional documentation on how to use it
> > right.
>
> I don't know, that doesn't seem ideal to me, because it's very easy
> to
> run stuff and never see the warnings.  If we find that people are
> desperate to use empty salts, we can relax that later (turn the error
> to
> a warning), but I'd rather not have it in the first cut.
>

That's a good idea, Let's go with that. Thanks again for working on
this.

> > Hmm, i didn't understand that passlib does decode them first, i
> > thought
> > they use it encoded... at least, in our current form we're pretty
> > much
> > compatible with Drepper, passlib and OpenSSL, as far as i tested:
>
> I am ready to believe that I misinterpreted what I read.
>

I hope i didn't parse it wrong either. But i didn't see forcing
something like this according in either passlib and Drepper's code.
Maybe we need have to look closer again ...

[...]

>
>
> I can offer a few cosmetic changes.  0001 is a pgindent run, and 0002
> is
> some manual adjustments after that.  There are only two nontrivial
> changes
>
> 1. the calculation for rounds was using type long, which is confusing
> because the range is different according to the platform.  Since it's
> limited by the macro definitions to no more than 999999999, we can
> make
> it an int32 instead.  So we use strtoint() instead of strtoul() to
> parse
> the value, and remove the "l" suffixes from the macros that define
> the
> limits and default, which were bugging me a bit when used in the
> gen_list struct.

+1

--
Bernd Helmle

Blücherstrasse 17
41061 Mönchengladbach

Tel.: +49 172 726 99 66