Closed riegelTech closed 5 years ago
It seems that bcrypt C++ implem uses same base64 dictionary, but ignores characters behind "+", that produces less secured hash without any error message.
So I am not convinced that it is a bug, especially if the fix consist in a change of the base64 dictionary and make new version of bcryptjs not compatible with old version.
Interesting. So to be 100% C++ compliant we have to lessen the security. So what is most important? To be compliant with the C++ implementation or the level of security?
There is no good solution. The best to do is probably to document this issue for hashSync function...
I use bcrypt.hashSync with a salt generated by openssl v1.0.2j, that contains "+" character :
bcrypt.hashSync('some pass', "$2a$10$P3mJIQ+5mwrf3acCkCfoYg3WniW9TeD8mvfxufmhh3U=");
This throws an error :
If I remove the "+" character it works fine, if I use bcrypt instead of bcryptjs, it works too.