search

patrickfav / bcrypt

A Java standalone implementation of the bcrypt password hash function. Based on the Blowfish cipher it is the default password hash algorithm for OpenBSD and other systems including some Linux distributions. Includes a CLI Tool.
https://favr.dev/opensource/bcrypt
Apache License 2.0
482 stars 49 forks source link

Verifier always return Result with wrong version #24

Closed hex-agon closed 4 years ago

hex-agon commented 4 years ago

Whenever you verify a hash the returned in the result is always $2a$:

Sample case:

Hasher hasher = BCrypt.with(Version.VERSION_2B);
long start = System.currentTimeMillis();
System.out.println("start");
byte[] hash = hasher.hash(12, "abc321".getBytes(StandardCharsets.UTF_8));
System.out.println("end");
System.out.println("Took " + (System.currentTimeMillis() - start) + "ms");

Verifyer verifier = BCrypt.verifyer();

start = System.currentTimeMillis();
System.out.println("start");
System.out.println(verifier.verifyStrict("abc321".getBytes(StandardCharsets.UTF_8), hash, Version.VERSION_2B));
System.out.println("end");
System.out.println("Took " + (System.currentTimeMillis() - start) + "ms");

Output:

start
end
Took 375ms
start
Result{details=HashData{cost=12, version=$2a$, rawSalt=63307d3ec2480e8b1840095fc8ce0d06, rawHash=77ce9567471ac1e2d1600a1219d26c9b5f67915df519c1}, validFormat=true, verified=true, formatErrorMessage='null'}
end
Took 305ms

This happens with both verify and verifyStrict.

As far as i could pinpoint, both functions end up calling this method which completely ignores the requested hash version and ends up using BCrypt.withDefaults().

Even though this seems to have no effect in the verification result it is an issue that can be fixed quickly.

patrickfav commented 4 years ago

Will be released with v0.9.0