Open terryquigleysas opened 5 months ago
[Triage] Hi @terryquigleysas thank you for filing this issue. This sounds like a worthwhile change which could help correct some unexpected behavior. We will need to handle the issues around the backwards compatibility of the code when reviewing the PR.
I think there is possibly a bug in the current Blake2b code. The defaultSalt variable is not passed to the Blake2bDigest constructor using the salt parameter as I would expect. It uses personalization instead. Is this correct?
In order to proceed which of these options is recommended?
Originally posted by @terryquigleysas in https://github.com/opensearch-project/security/issues/4212#issuecomment-2063453718
Approach #1 would appear to be the correct thing to do but there are concerns that changing hashes, even to the correct values, may impact existing users.
This bug is derived from discussions on https://github.com/opensearch-project/security/pull/4271 and https://github.com/opensearch-project/security/issues/4212