bcrypt生成不正确的哈希-我的用户输入处理正确吗? [英] bcrypt generates incorrect hashes - is my user-input processing correct?

问题描述

我在Go中编写了一个简短的程序，以通过stdin提供的密码生成bcrypt密码哈希.下面的最小示例:

I've written a short program in Go to generate a bcrypt password hash from a password provided via stdin. Minimal example below:

package main

import (
    "bufio"
    "fmt"
    "golang.org/x/crypto/bcrypt"
)

func main() {

    fmt.Println("Enter password:")
    reader := bufio.NewReader(os.Stdin)
    inputPassword, _ := reader.ReadString('\n')

    inputPasswordBytes := []byte(inputPassword)
    hashBytes, _ := bcrypt.GenerateFromPassword(inputPasswordBytes, bcrypt.DefaultCost)

    hashStr := string(hashBytes)

    fmt.Println(hashStr)
}

在另一个程序(Go Web服务器)中，我接受来自HTTP POST请求的用户密码，并针对使用上述代码生成的哈希进行测试，并将其保存到启动时加载的配置文件中，如下所示:

In another program (a Go web-server) I accept the user's password from a HTTP POST request and test it against a hash generated with the code above and saved to a configuration file that's loaded at startup, like so:

func authenticateHashedPassword(inputPassword string) bool {

    configPasswordHashBytes := []byte(server.Config.Net.Auth.Password)
    inputPasswordBytes := []byte(inputPassword)
    err := bcrypt.CompareHashAndPassword(configPasswordHashBytes, inputPasswordBytes)
    if err != nil {
        return false
    }
    return true

}

但是，当我知道inputPassword正确时，这将报告失败.经过一番调查，我发现当我使用此网站测试我的值时，上面的初始func main产生了错误的输出:

However this reports failure when I know inputPassword is correct. After some investigation I saw that my initial func main above was generating the wrong output when I used this website to test my values: https://www.dailycred.com/article/bcrypt-calculator - it says all of the output I generate doesn't match the desired passwords.

我假设我执行[]byte(inputPassword)时，字符编码或其他详细信息有问题-可能包括尾随行尾吗?

I'm assuming there's something wrong going on with the character encoding or other details when I do []byte(inputPassword) - is it perhaps including the trailing line-ending?

不幸的是，我无法逐步调试程序，因为Visual Studio Code的Go语言工具和调试器不支持使用standard-IO:

Unfortunately I cannot step-through debug my program because Visual Studio Code's Go language tools and debugger does not support using standard-IO: https://github.com/Microsoft/vscode-go/issues/219

推荐答案

bufio Reader.ReadString 方法返回直到\n定界符并包括在内的数据. \n包含在密码中.使用 strings.TrimSpace 修剪\n和用户可能输入的任何空格.

The bufio Reader.ReadString method returns the data up to and including the \n delimiter. The \n is included in the password. Use strings.TrimSpace to trim the \n and any whitespace that may have been entered by the user.

package main

import (
    "bufio"
    "fmt"
    "golang.org/x/crypto/bcrypt"
)

func main() {

    fmt.Println("Enter password:")
    reader := bufio.NewReader(os.Stdin)
    inputPassword, _ := strings.TrimSpace(reader.ReadString('\n'), "\n"))

    inputPasswordBytes := []byte(inputPassword)
    hashed, _ := bcrypt.GenerateFromPassword(inputPasswordBytes, bcrypt.DefaultCost)

    fmt.Printf("%s\n", hashed)
}

这篇关于bcrypt生成不正确的哈希-我的用户输入处理正确吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！