Comments (10)
Is your base64 encoding/decoding necessary to make this work? Does this give the same behavior?
plaintext = "%t/)Wz`^$C7]'"
hashed = BCrypt::Password.create(plaintext)
BCrypt::Password.new(hashed) == plaintext # => true
from bcrypt-ruby.
Yes, the Base64 encoding appears to be related -- that code works in both
JRuby and MRI. The value that is Base64 encoded came from a HMAC, the
submitted code is a simplification of some code derived from
https://github.com/fwenzel/django-sha2.
Thanks
Dave
On Tue, Nov 5, 2013 at 3:56 PM, T.J. Schuck [email protected]:
Is your base64 encoding/decoding necessary to make this work? Does this
give the same behavior?plaintext = "%t/)Wz`^$C7]'"hashed = BCrypt::Password.create(plaintext)BCrypt::Password.new(hashed) == plaintext # => true
—
Reply to this email directly or view it on GitHubhttps://github.com//issues/82#issuecomment-27811478
.
from bcrypt-ruby.
Yep -- took me a minute to install JRuby, but the above code (without the base64ing) definitely works on JRuby 1.7.3, and confirmed that the base64 version does not.
from bcrypt-ruby.
For another failing test case, from the BCrypt test strings at: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/john/john/src/BF_fmt.c?rev=HEAD
BCrypt::Password.new("$2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6") == "\xaa"*72
returns true on MRI, and false on JRuby (1.7.4 in my case)
from bcrypt-ruby.
I wonder if the change in jBCrypt 0.3 (http://mindrot.org/files/jBCrypt/internat.adv -- 92c8e4e) affects this at all...
@djmdjm, any ideas?
from bcrypt-ruby.
I don't fully understand this issue... does it only come into effect if Base64 is involved?
What I'm worried about: I have a bunch of hashes being created using this library running under JRuby. I'm going to be migrating to MRI later this year. Is there a chance some of my users will be locked out if I migrate due to this bug?
from bcrypt-ruby.
Base64 itself is unrelated, but it may have to do with UTF-8 or other
non-ascii characters in the source material.
Yes, the transition from JRuby to/from MRI is exactly the scenario that I
was testing when I encountered this issue.
I haven't yet tested Reed's suggestion around the jBCrypt 0.3 fix, it
certainly does look potentially relevant.
Thanks
Dave
On Wed, Jul 23, 2014 at 1:43 PM, zofrex [email protected] wrote:
I don't fully understand this issue... does it only come into effect if
Base64 is involved?
What I'm worried about: I have a bunch of hashes being created using this
library running under JRuby. I'm going to be migrating to MRI later this
year. Is there a chance some of my users will be locked out if I migrate
due to this bug?—
Reply to this email directly or view it on GitHub
#82 (comment).
from bcrypt-ruby.
What is the probability of an incorrect hash being generated? For every say, million hashes generated by this library in JRuby, how many should we expect to be incorrect when transitioning to MRI?
from bcrypt-ruby.
Have done a bit of work on this recently. There are two key issues: a) when using 8-bit characters, the JRuby -> Java conversion and the jBCrypt use of .getBytes("UTF-8") ensure inconsistent results compared with the native implementation; b) the native implementation can't handle strings containing "\0" null values because it assumes null-terminated strings, whereas jBCrypt doesn't pay attention to those.
Long story short, make sure your input to the bcrypt is all ASCII values between 1 and 127 (7-bit clean, no zeroes) and I believe you'll be safe.
from bcrypt-ruby.
Somewhat related, especially to \0... http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html
from bcrypt-ruby.
Related Issues (20)
- bcrypt 3.1.15 failing on FreeBSD 12 HOT 7
- some calibration tests of the engine fail on s390x architecture
- Cannot install on Windows: ld.exe: cannot find -lgmp HOT 1
- I can't use bcrypt on Apple M1 Chip HOT 4
- failure for test "Generating BCrypt hashes should be interoperable with other implementations"
- Maintenance of bcrypt-ruby (creation of ruby-crypto org?) HOT 16
- Master branch failing due to cost factor
- Issue with devise and bcrypt on a macbook m1 rails install HOT 2
- Rails 6.1.3.1 - BCrypt::Errors::InvalidHash Exception: invalid hash HOT 2
- Fails to install on Ruby 3.0.2 HOT 1
- Cannot install bcrypt on Windows 10 HOT 4
- mach-o file, but is an incompatible architecture (have 'x86_64', need 'arm64e' M1 macbook issue. HOT 1
- New release? HOT 3
- tag 3.1.18? HOT 1
- Unexpected implementation of == method in Password class
- Encryption level HOT 1
- Bcrypt 3.1.18 not working on Ubuntu 22.04.02 LTS HOT 2
- please tag 3.1.20 HOT 1
- Password presence validation bizarre behaviour HOT 1
- Make C-extension Ractor-safe HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bcrypt-ruby.