[jruby] Bcrypt 3.1.13 possibly resulting in different hash values for some secrets

Mohamed Hafez mohamed.m.m.hafez at gmail.com
Fri Jun 28 08:52:05 JST 2019


In https://github.com/codahale/bcrypt-ruby/pull/182, @fonica says

updated lib/bcrypt/engine.rb to pass the secret as java bytes; it seems
jruby messes up the encoding for certain bytes if the secret is passed as a
string.

If this is true, and this is now "fixed" as of version 3.1.13 but never was
before, wouldn't that mean that for some long time users when they try to
log and enter in their password/secret, and I hash it using the new "fixed"
3.1.13 bcyrpt gem, that the hash will be different, and the user wouldn't
be able to log in?

 Here's the relevant code change:
https://github.com/codahale/bcrypt-ruby/pull/182/files#diff-f86cac16a00b89c4f5af90928cf7516eL49

All the secrets I tried resulted in the same hash between 3.1.13 and
previous versions, however when I briefly ran 3.1.13 in production, I got
an uptick in users swearing they didn't forget their password but can't log
in (but that could just be coincidence).

Does anyone know under what circumstances *secret.to_s *would produce a
different value than *secret.to_s.to_java_bytes* in the change linked to
above?

(I've tried commenting on the PR on the github page and raising an issue,
but no response, so I'm really hoping I can turn to this mailing list,
thanks in advance!)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ruby-lang.org/pipermail/jruby/attachments/20190627/992fd8d7/attachment.html>


More information about the JRuby mailing list