New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/bcrypt: hashes different than in other languages #26301
Comments
CC @FiloSottile |
I'm not sure if there is any value to this, but I noticed that if I make up a sequence of letters/numbers as the password instead of the sha then I do get a match between go and python. (For example |
I guess |
From my understanding at the least python and node.js should still be able to compare and match with an older version. In node.js specifically if you do something like:
This generates
@aead
@meirf now that is kind of interesting. Sha256 is just letters and numbers as well. |
In Go, you're feeding bcrypt with the byte array representation of the hash. In Python, you're feeding bcrypt with the hex string representation of the hash. Change |
For me python is added just to be more thorough and make sure it wasn't just a go->nodejs thing but an issue with the hashes generated by go. It being a byte array in go causing the problem makes some sense. But the fact that I can't use a hash generated by go in any other language still remains a problem. The key problem in my case. |
You're doing it wrong. I've just checked: node.js successfully compares hashes generated by Go, and vice versa. The same with python. The bcrypt modules are perfectly interoperable. |
@opennota care to elaborate? What exactly am I doing incorrectly? I've tried so many different variations, I totally believe i'm missing something that would be more obvious to someone more experienced. |
@geekgonecrazy
|
I guess |
Correct, |
Makes sense! @opennota thanks for the code snippet. I've confirmed it works. Learn something new every day. Thanks guys, glad it wasn't actually a bug in the package! :) |
What version of Go are you using (
go version
)?go version go1.10.3 darwin/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?What did you do?
Get a bcrypt hash generated by x/crypto and then try to validate in node.js and python.
I verified node.js and python can validate hashes between each other. But neither can validate hashes generated by this package.
Code samples: https://gist.github.com/geekgonecrazy/3a61ee15f515022295eef57f0713b52b
I can see the crypto package only has bcrypt 2a but from what I can tell 2a and 2b should be compatible.
To rule this out generated 2a from node.js and python could validate. But still not the crypto package.
I'm stumped... Its unclear if a bug, or the results for what ever reason are completely incompatible with other bcrypt packages.
The text was updated successfully, but these errors were encountered: