Description
When using 64+ emoji compatibility between bcrypt <> php and bcrypt <> bcryptjs is broken, whereas bcryptjs <> php is fine.
Code to represent the issue.
const {spawnSync} = require('child_process');
const bcrypt = require('bcrypt');
const bcryptjs = require('bcryptjs');
let chr = '😃'; // emoji
let len = 64; // 64+
let data = chr.repeat(len);
let bcryptAHash = bcrypt.hashSync(data, bcrypt.genSaltSync(8, 'a'));
let bcryptBHash = bcrypt.hashSync(data, bcrypt.genSaltSync(8, 'b'));
let bcryptjsHash = bcryptjs.hashSync(data, bcryptjs.genSaltSync(8));
let phpHash = spawnSync("php", ["-r", "echo password_hash('"+data+"', PASSWORD_BCRYPT, ['cost' => 8]);"]).stdout.toString();
let bcrypta_php = spawnSync("php", ["-r", "echo password_verify('"+data+"', str_replace('$2a$', '$2y$', '"+bcryptAHash+"')) ? 'true' : 'false';"]).stdout.toString();
let bcryptb_php = spawnSync("php", ["-r", "echo password_verify('"+data+"', str_replace('$2b$', '$2y$', '"+bcryptBHash+"')) ? 'true' : 'false';"]).stdout.toString();
let bcryptjs_php = spawnSync("php", ["-r", "echo password_verify('"+data+"', str_replace('$2a$', '$2y$', '"+bcryptjsHash+"')) ? 'true' : 'false';"]).stdout.toString();
let php_php = spawnSync("php", ["-r", "echo password_verify('"+data+"', '"+phpHash+"') ? 'true' : 'false';"]).stdout.toString();
let bcrypta_bcrypt = bcrypt.compareSync(data, bcryptAHash).toString();
let bcryptb_bcrypt = bcrypt.compareSync(data, bcryptBHash).toString();
let bcryptjs_bcrypt = bcrypt.compareSync(data, bcryptjsHash).toString();
let php_bcrypta = bcrypt.compareSync(data, phpHash.replace("$2y$", "$2a$")).toString();
let php_bcryptb = bcrypt.compareSync(data, phpHash.replace("$2y$", "$2b$")).toString();
let bcrypta_bcryptjs = bcryptjs.compareSync(data, bcryptAHash).toString();
let bcryptjs_bcryptjs = bcryptjs.compareSync(data, bcryptjsHash).toString();
let php_bcryptjs = bcryptjs.compareSync(data, phpHash.replace("$2y$", "$2a$")).toString();
console.log("hash\\module php bcryptjs bcrypt-a bcrypt-b");
console.log("php ", php_php.padEnd(5, " "), php_bcryptjs.padEnd(8, " "), php_bcrypta.padEnd(8, " "), php_bcryptb.padEnd(8, " "));
console.log("bcryptjs ", bcryptjs_php.padEnd(5, " "), bcryptjs_bcryptjs.padEnd(8, " "), bcryptjs_bcrypt.padEnd(8, " "), "".padEnd(8, " "));
console.log("bcrypt-a ", bcrypta_php.padEnd(5, " "), bcrypta_bcryptjs.padEnd(8, " "), bcrypta_bcrypt.padEnd(8, " "), "".padEnd(8, " "));
console.log("bcrypt-b ", bcryptb_php.padEnd(5, " "), "".padEnd(8, " "), "".padEnd(8, " "), bcryptb_bcrypt.padEnd(8, " "));
The output:
hash\module php bcryptjs bcrypt-a bcrypt-b
php true true false false
bcryptjs true true false
bcrypt-a false false true
bcrypt-b false true
Fedora 31 x86_64, bcrypt 3.0.7, node v12.13.1
Metadata
Metadata
Assignees
Labels
No labels