| private static DecodeBase64 ( string s, int maximumLength ) : byte[] | ||
| s | string | The string to decode |
| maximumLength | int | The maximum number of bytes to decode |
| Résultat | byte[] | |
public void LeadingByteDoesntTruncateHash()
{
var b = new BCrypt();
var s = BCrypt.GenerateSalt();
var extractedSalt = s.Substring(7, 22);
var passA = SafeUTF8.GetBytes("\0 password");
var passB = SafeUTF8.GetBytes("\0");
byte[] saltBytes = BCrypt.DecodeBase64(extractedSalt, 128 / 8);
var bytesAreValid = BytesAreValid(passA);
Assert.False(bytesAreValid, "Hash contains null bytes");
var hashA = b.CryptRaw(passA, saltBytes, 4);
var hashAVerification = b.CryptRaw(passA, saltBytes, 4);
Assert.True(Convert.ToBase64String(hashA) == Convert.ToBase64String(hashAVerification), "These should match as this is how validation works");
var hashB = b.CryptRaw(passB, saltBytes, 4);
var hashBVerification = b.CryptRaw(passB, saltBytes, 4);
Assert.True(Convert.ToBase64String(hashB) == Convert.ToBase64String(hashBVerification), "These should match as this is how validation works, this is skipping the password");
Assert.False(Convert.ToBase64String(hashA) == Convert.ToBase64String(hashB), "These shouldnt match as we hash the whole strings bytes, including the null byte");
}
public void LeadingByteDoesntTruncateHashSHA()
{
var b = new BCrypt();
var s = BCrypt.GenerateSalt();
var extractedSalt = s.Substring(7, 22);
var passA = SafeUTF8.GetBytes("d27a37");
var passB = new byte[] { 0 };
byte[] saltBytes = BCrypt.DecodeBase64(extractedSalt, 128 / 8);
byte[] enhancedBytes = SHA384.Create().ComputeHash(passA);
byte[] enhancedBytesB = SHA384.Create().ComputeHash(passB);
var bytesAreValid = BytesAreValid(enhancedBytes);
Assert.False(bytesAreValid, "Hash contains null bytes");
var hashA = b.CryptRaw(enhancedBytes, saltBytes, 4);
var hashAVerification = b.CryptRaw(enhancedBytes, saltBytes, 4);
Assert.True(Convert.ToBase64String(hashA) == Convert.ToBase64String(hashAVerification), "These should match as this is how validation works");
var hashB = b.CryptRaw(enhancedBytesB, saltBytes, 4);
var hashBVerification = b.CryptRaw(enhancedBytesB, saltBytes, 4);
Assert.True(Convert.ToBase64String(hashB) == Convert.ToBase64String(hashBVerification), "These should match as this is how validation works");
Assert.False(Convert.ToBase64String(hashA) == Convert.ToBase64String(hashB), "These shouldnt match as we hash the whole strings bytes, including the null byte");
}
public static string HashPassword(string input, string salt)
{
if (input == null)
{
//throw new ArgumentNullException("input");
}
if (string.IsNullOrEmpty(salt))
{
//throw new ArgumentException("Invalid salt", "salt");
}
char c = '\0';
if (salt[0] != '$' || salt[1] != '2')
{
//throw new SaltParseException("Invalid salt version");
}
int num;
if (salt[2] == '$')
{
num = 3;
}
else
{
c = salt[2];
if (c != 'a' || salt[3] != '$')
{
//throw new SaltParseException("Invalid salt revision");
}
num = 4;
}
if (salt[num + 2] > '$')
{
//throw new SaltParseException("Missing salt rounds");
}
int num2 = Convert.ToInt32(salt.Substring(num, 2));
string encodedstring = salt.Substring(num + 3, 22);
byte[] bytes = Encoding.UTF8.GetBytes(input + ((c >= 'a') ? "\0" : ""));
byte[] array = BCrypt.DecodeBase64(encodedstring, 16);
BCrypt bCrypt = new BCrypt();
byte[] byteArray = bCrypt.CryptRaw(bytes, array, num2);
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append("$2");
if (c >= 'a')
{
stringBuilder.Append(c);
}
stringBuilder.AppendFormat("${0:00}$", num2);
stringBuilder.Append(BCrypt.EncodeBase64(array, array.Length));
stringBuilder.Append(BCrypt.EncodeBase64(byteArray, BCrypt._BfCryptCiphertext.Length * 4 - 1));
return(stringBuilder.ToString());
}