bcrypt
Advanced tools
Comparing version 5.0.0 to 5.0.1
'use strict'; | ||
var binary = require('node-pre-gyp'); | ||
var nodePreGyp = require('@mapbox/node-pre-gyp'); | ||
var path = require('path'); | ||
var binding_path = binary.find(path.resolve(path.join(__dirname, './package.json'))); | ||
var binding_path = nodePreGyp.find(path.resolve(path.join(__dirname, './package.json'))); | ||
var bindings = require(binding_path); | ||
@@ -86,3 +86,3 @@ | ||
/// hash data using a salt | ||
/// @param {String} data the data to encrypt | ||
/// @param {String|Buffer} data the data to encrypt | ||
/// @param {String} salt the salt to use when hashing | ||
@@ -95,4 +95,4 @@ /// @return {String} hash | ||
if (typeof data !== 'string' || (typeof salt !== 'string' && typeof salt !== 'number')) { | ||
throw new Error('data must be a string and salt must either be a salt string or a number of rounds'); | ||
if (!(typeof data === 'string' || data instanceof Buffer) || (typeof salt !== 'string' && typeof salt !== 'number')) { | ||
throw new Error('data must be a string or Buffer and salt must either be a salt string or a number of rounds'); | ||
} | ||
@@ -108,3 +108,3 @@ | ||
/// hash data using a salt | ||
/// @param {String} data the data to encrypt | ||
/// @param {String|Buffer} data the data to encrypt | ||
/// @param {String} salt the salt to use when hashing | ||
@@ -116,3 +116,3 @@ /// @param {Function} cb callback(err, hash) | ||
if (typeof data === 'function') { | ||
error = new Error('data must be a string and salt must either be a salt string or a number of rounds'); | ||
error = new Error('data must be a string or Buffer and salt must either be a salt string or a number of rounds'); | ||
return process.nextTick(function() { | ||
@@ -124,3 +124,3 @@ data(error); | ||
if (typeof salt === 'function') { | ||
error = new Error('data must be a string and salt must either be a salt string or a number of rounds'); | ||
error = new Error('data must be a string or Buffer and salt must either be a salt string or a number of rounds'); | ||
return process.nextTick(function() { | ||
@@ -148,4 +148,4 @@ salt(error); | ||
if (typeof data !== 'string' || (typeof salt !== 'string' && typeof salt !== 'number')) { | ||
error = new Error('data must be a string and salt must either be a salt string or a number of rounds'); | ||
if (!(typeof data === 'string' || data instanceof Buffer) || (typeof salt !== 'string' && typeof salt !== 'number')) { | ||
error = new Error('data must be a string or Buffer and salt must either be a salt string or a number of rounds'); | ||
return process.nextTick(function() { | ||
@@ -167,3 +167,3 @@ cb(error); | ||
/// compare raw data to hash | ||
/// @param {String} data the data to hash and compare | ||
/// @param {String|Buffer} data the data to hash and compare | ||
/// @param {String} hash expected hash | ||
@@ -176,4 +176,4 @@ /// @return {bool} true if hashed data matches hash | ||
if (typeof data !== 'string' || typeof hash !== 'string') { | ||
throw new Error('data and hash must be strings'); | ||
if (!(typeof data === 'string' || data instanceof Buffer) || typeof hash !== 'string') { | ||
throw new Error('data must be a string or Buffer and hash must be a string'); | ||
} | ||
@@ -185,3 +185,3 @@ | ||
/// compare raw data to hash | ||
/// @param {String} data the data to hash and compare | ||
/// @param {String|Buffer} data the data to hash and compare | ||
/// @param {String} hash expected hash | ||
@@ -223,3 +223,3 @@ /// @param {Function} cb callback(err, matched) - matched is true if hashed data matches hash | ||
if (typeof data !== 'string' || typeof hash !== 'string') { | ||
if (!(typeof data === 'string' || data instanceof Buffer) || typeof hash !== 'string') { | ||
error = new Error('data and hash must be strings'); | ||
@@ -226,0 +226,0 @@ return process.nextTick(function() { |
@@ -0,1 +1,5 @@ | ||
# 5.0.1 (2021-02-22) | ||
* Update `node-pre-gyp` to 1.0.0 | ||
# 5.0.0 (2020-06-02) | ||
@@ -2,0 +6,0 @@ |
@@ -14,3 +14,3 @@ { | ||
"main": "./bcrypt", | ||
"version": "5.0.0", | ||
"version": "5.0.1", | ||
"author": "Nick Campbell (https://github.com/ncb000gt)", | ||
@@ -33,4 +33,4 @@ "engines": { | ||
"dependencies": { | ||
"node-pre-gyp": "0.15.0", | ||
"node-addon-api": "^3.0.0" | ||
"@mapbox/node-pre-gyp": "^1.0.0", | ||
"node-addon-api": "^3.1.0" | ||
}, | ||
@@ -37,0 +37,0 @@ "devDependencies": { |
@@ -25,5 +25,5 @@ # node.bcrypt.js | ||
| 4 | <= 2.1.0 | | ||
| 8 | >= 1.0.3 < 4.0.0 | | ||
| 8 | >= 1.0.3 < 4.0.0 | | ||
| 10, 11 | >= 3 | | ||
| 12 | >= 3.0.6 | | ||
| 12 onwards | >= 3.0.6 | | ||
@@ -45,2 +45,4 @@ `node-gyp` only works with stable/released versions of node. Since the `bcrypt` module uses `node-gyp` to build and install, you'll need a stable version of node to use bcrypt. If you do not, you'll likely see an error that starts with: | ||
* An [issue with passwords][jtr] was found with a version of the Blowfish algorithm developed for John the Ripper. This is not present in the OpenBSD version and is thus not a problem for this module. HT [zooko][zooko]. | ||
* Versions `< 5.0.0` suffer from bcrypt wrap-around bug and _will truncate passwords >= 255 characters leading to severely weakened passwords_. Please upgrade at earliest. See [this wiki page][wrap-around-bug] for more details. | ||
* Versions `< 5.0.0` _do not handle NUL characters inside passwords properly leading to all subsequent characters being dropped and thus resulting in severely weakened passwords_. Please upgrade at earliest. See [this wiki page][improper-nuls] for more details. | ||
@@ -286,4 +288,24 @@ ## Compatibility Note | ||
Resultant hashes will be 60 characters long. | ||
Resultant hashes will be 60 characters long and they will include the salt among other parameters, as follows: | ||
`$[algorithm]$[cost]$[salt][hash]` | ||
- 2 chars hash algorithm identifier prefix. `"$2a$" or "$2b$"` indicates BCrypt | ||
- Cost-factor (n). Represents the exponent used to determine how many iterations 2^n | ||
- 16-byte (128-bit) salt, base64 encoded to 22 characters | ||
- 24-byte (192-bit) hash, base64 encoded to 31 characters | ||
Example: | ||
``` | ||
$2b$10$nOUIs5kJ7naTuTFkBy1veuK0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa | ||
| | | | | ||
| | | hash-value = K0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa | ||
| | | | ||
| | salt = nOUIs5kJ7naTuTFkBy1veu | ||
| | | ||
| cost-factor => 10 = 2^10 rounds | ||
| | ||
hash-algorithm identifier => 2b = BCrypt | ||
``` | ||
## Testing | ||
@@ -336,2 +358,4 @@ | ||
[timingatk]: https://codahale.com/a-lesson-in-timing-attacks/ | ||
[wrap-around-bug]: https://github.com/kelektiv/node.bcrypt.js/wiki/Security-Issues-and-Concerns#bcrypt-wrap-around-bug-medium-severity | ||
[improper-nuls]: https://github.com/kelektiv/node.bcrypt.js/wiki/Security-Issues-and-Concerns#improper-nul-handling-medium-severity | ||
@@ -338,0 +362,0 @@ [shadowfiend]:https://github.com/Shadowfiend |
@@ -32,2 +32,3 @@ var bcrypt = require('../bcrypt'); | ||
assert.strictEqual(bcrypt.hashSync("Passw\0 you can literally write anything after the NUL character", "$2b$05$CCCCCCCCCCCCCCCCCCCCC."), "$2b$05$CCCCCCCCCCCCCCCCCCCCC.4vJLJQ6nZ/70INTjjSZWQ0iyUek92tu"); | ||
assert.strictEqual(bcrypt.hashSync(Buffer.from("Passw\0 you can literally write anything after the NUL character"), "$2b$05$CCCCCCCCCCCCCCCCCCCCC."), "$2b$05$CCCCCCCCCCCCCCCCCCCCC.4vJLJQ6nZ/70INTjjSZWQ0iyUek92tu"); | ||
assert.done(); | ||
@@ -47,4 +48,8 @@ }, | ||
assert.strictEqual(bcrypt.hashSync("ἓν οἶδα ὅτι οὐδὲν οἶδα", "$2b$12$LeHKWR2bmrazi/6P22Jpau"), "$2b$12$LeHKWR2bmrazi/6P22JpauX5my/eKwwKpWqL7L5iEByBnxNc76FRW"); | ||
assert.done(); | ||
assert.strictEqual(bcrypt.hashSync(Buffer.from("ἓν οἶδα ὅτι οὐδὲν οἶδα"), "$2b$12$LeHKWR2bmrazi/6P22Jpau"), "$2b$12$LeHKWR2bmrazi/6P22JpauX5my/eKwwKpWqL7L5iEByBnxNc76FRW"); | ||
bcrypt.hash(Buffer.from("ἓν οἶδα ὅτι οὐδὲν οἶδα"), "$2b$12$LeHKWR2bmrazi/6P22Jpau", function(err, hash) { | ||
assert.strictEqual(hash, "$2b$12$LeHKWR2bmrazi/6P22JpauX5my/eKwwKpWqL7L5iEByBnxNc76FRW"); | ||
assert.done(); | ||
}); | ||
} | ||
} |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
972
375
118561
+ Added@mapbox/node-pre-gyp@^1.0.0
+ Added@mapbox/node-pre-gyp@1.0.11(transitive)
+ Addedagent-base@6.0.2(transitive)
+ Addedansi-regex@5.0.1(transitive)
+ Addedaproba@2.0.0(transitive)
+ Addedare-we-there-yet@2.0.0(transitive)
+ Addedchownr@2.0.0(transitive)
+ Addedcolor-support@1.1.3(transitive)
+ Addeddebug@4.3.4(transitive)
+ Addeddetect-libc@2.0.3(transitive)
+ Addedemoji-regex@8.0.0(transitive)
+ Addedfs-minipass@2.1.0(transitive)
+ Addedgauge@3.0.2(transitive)
+ Addedhttps-proxy-agent@5.0.1(transitive)
+ Addedis-fullwidth-code-point@3.0.0(transitive)
+ Addedmake-dir@3.1.0(transitive)
+ Addedminipass@3.3.65.0.0(transitive)
+ Addedminizlib@2.1.2(transitive)
+ Addedmkdirp@1.0.4(transitive)
+ Addedms@2.1.2(transitive)
+ Addednode-fetch@2.7.0(transitive)
+ Addednopt@5.0.0(transitive)
+ Addednpmlog@5.0.1(transitive)
+ Addedreadable-stream@3.6.2(transitive)
+ Addedrimraf@3.0.2(transitive)
+ Addedsemver@6.3.17.6.2(transitive)
+ Addedstring-width@4.2.3(transitive)
+ Addedstring_decoder@1.3.0(transitive)
+ Addedstrip-ansi@6.0.1(transitive)
+ Addedtar@6.2.1(transitive)
+ Addedtr46@0.0.3(transitive)
+ Addedwebidl-conversions@3.0.1(transitive)
+ Addedwhatwg-url@5.0.0(transitive)
+ Addedyallist@4.0.0(transitive)
- Removednode-pre-gyp@0.15.0
- Removedansi-regex@2.1.1(transitive)
- Removedaproba@1.2.0(transitive)
- Removedare-we-there-yet@1.1.7(transitive)
- Removedchownr@1.1.4(transitive)
- Removedcode-point-at@1.1.0(transitive)
- Removedcore-util-is@1.0.3(transitive)
- Removeddebug@3.2.7(transitive)
- Removeddeep-extend@0.6.0(transitive)
- Removeddetect-libc@1.0.3(transitive)
- Removedfs-minipass@1.2.7(transitive)
- Removedgauge@2.7.4(transitive)
- Removediconv-lite@0.4.24(transitive)
- Removedignore-walk@3.0.4(transitive)
- Removedini@1.3.8(transitive)
- Removedis-fullwidth-code-point@1.0.0(transitive)
- Removedisarray@1.0.0(transitive)
- Removedminimist@1.2.8(transitive)
- Removedminipass@2.9.0(transitive)
- Removedminizlib@1.3.3(transitive)
- Removedmkdirp@0.5.6(transitive)
- Removedms@2.1.3(transitive)
- Removedneedle@2.9.1(transitive)
- Removednode-pre-gyp@0.15.0(transitive)
- Removednopt@4.0.3(transitive)
- Removednpm-bundled@1.1.2(transitive)
- Removednpm-normalize-package-bin@1.0.1(transitive)
- Removednpm-packlist@1.4.8(transitive)
- Removednpmlog@4.1.2(transitive)
- Removednumber-is-nan@1.0.1(transitive)
- Removedos-homedir@1.0.2(transitive)
- Removedos-tmpdir@1.0.2(transitive)
- Removedosenv@0.1.5(transitive)
- Removedprocess-nextick-args@2.0.1(transitive)
- Removedrc@1.2.8(transitive)
- Removedreadable-stream@2.3.8(transitive)
- Removedrimraf@2.7.1(transitive)
- Removedsafe-buffer@5.1.2(transitive)
- Removedsafer-buffer@2.1.2(transitive)
- Removedsax@1.3.0(transitive)
- Removedsemver@5.7.2(transitive)
- Removedstring-width@1.0.2(transitive)
- Removedstring_decoder@1.1.1(transitive)
- Removedstrip-ansi@3.0.1(transitive)
- Removedstrip-json-comments@2.0.1(transitive)
- Removedtar@4.4.19(transitive)
- Removedyallist@3.1.1(transitive)
Updatednode-addon-api@^3.1.0