bcrypt: fix issue #16769 security problem in compare_hash_and_password (#16815)

2023-08-10 21:13:21 +03:00 · 2022-12-31 16:18:43 +01:00
parent 5daf39bc6a
commit 1e401d1433
2 changed files with 16 additions and 2 deletions
--- a/vlib/crypto/bcrypt/bcrypt_test.v
+++ b/vlib/crypto/bcrypt/bcrypt_test.v
@ -8,4 +8,14 @@ fn test_crypto_bcrypt() {
 	bcrypt.compare_hash_and_password('password2'.bytes(), hash.bytes()) or {
 		assert err.msg() == 'mismatched hash and password'
 	}
+
+	hash2 := bcrypt.generate_from_password('bb'.bytes(), 10) or { panic(err) }
+	mut hash2_must_mismatch := false
+
+	bcrypt.compare_hash_and_password('bbb'.bytes(), hash2.bytes()) or {
+		hash2_must_mismatch = true
+		assert err.msg() == 'mismatched hash and password'
+	}
+
+	assert hash2_must_mismatch
 }