Keats
commented
1 year ago I'm not sure tbh, we should see how other implementations handle it. From what I remember, it should be 71 bytes + 0 so yeah it might not be correct.
Open alanhe opened 1 year ago
Keats
commented
1 year ago I'm not sure tbh, we should see how other implementations handle it. From what I remember, it should be 71 bytes + 0 so yeah it might not be correct.
alanhe
commented
1 year ago By the Go implementation, I think it's 72 bytes + 0
// Bug compatibility with C bcrypt implementations. They use the trailing
// NULL in the key string during expansion.
// We copy the key to prevent changing the underlying array.
ckey := append(key[:len(key):len(key)], 0)
Same as this C++ implementation, https://github.com/kelektiv/node.bcrypt.js/blob/master/src/bcrypt.cc#L220-L224
It's not bothering me -- just out of curiosity 😄
Keats
commented
1 year ago I guess it's an issue in this crate then, the push should be after the truncation. I guess no one really encode things that are more than 72 bytes in practice.
Keats
commented
1 year ago I guess we should hash a password from the C++/Go implementation that has more than 72 bytes and ensure we can verify them
When
passwordhas more than 72 bytes, it is truncated and the assumption may not hold true. I wonder if L109 is necessary.https://github.com/Keats/rust-bcrypt/blob/b6af5e5311598aee52d0bcfac1e22e13b1d10946/src/lib.rs#L106-L114