问题
I've written a short program in Go to generate a bcrypt password hash from a password provided via stdin. Minimal example below:
package main
import (
"bufio"
"fmt"
"golang.org/x/crypto/bcrypt"
)
func main() {
fmt.Println("Enter password:")
reader := bufio.NewReader(os.Stdin)
inputPassword, _ := reader.ReadString('\n')
inputPasswordBytes := []byte(inputPassword)
hashBytes, _ := bcrypt.GenerateFromPassword(inputPasswordBytes, bcrypt.DefaultCost)
hashStr := string(hashBytes)
fmt.Println(hashStr)
}
In another program (a Go web-server) I accept the user's password from a HTTP POST request and test it against a hash generated with the code above and saved to a configuration file that's loaded at startup, like so:
func authenticateHashedPassword(inputPassword string) bool {
configPasswordHashBytes := []byte(server.Config.Net.Auth.Password)
inputPasswordBytes := []byte(inputPassword)
err := bcrypt.CompareHashAndPassword(configPasswordHashBytes, inputPasswordBytes)
if err != nil {
return false
}
return true
}
However this reports failure when I know inputPassword is correct. After some investigation I saw that my initial func main above was generating the wrong output when I used this website to test my values: https://www.dailycred.com/article/bcrypt-calculator - it says all of the output I generate doesn't match the desired passwords.
I'm assuming there's something wrong going on with the character encoding or other details when I do []byte(inputPassword) - is it perhaps including the trailing line-ending?
Unfortunately I cannot step-through debug my program because Visual Studio Code's Go language tools and debugger does not support using standard-IO: https://github.com/Microsoft/vscode-go/issues/219
回答1:
The bufio Reader.ReadString method returns the data up to and including the \n delimiter. The \n is included in the password. Use strings.TrimSpace to trim the \n and any whitespace that may have been entered by the user.
package main
import (
"bufio"
"fmt"
"golang.org/x/crypto/bcrypt"
)
func main() {
fmt.Println("Enter password:")
reader := bufio.NewReader(os.Stdin)
inputPassword, _ := strings.TrimSpace(reader.ReadString('\n'), "\n"))
inputPasswordBytes := []byte(inputPassword)
hashed, _ := bcrypt.GenerateFromPassword(inputPasswordBytes, bcrypt.DefaultCost)
fmt.Printf("%s\n", hashed)
}
来源:https://stackoverflow.com/questions/50264864/bcrypt-generates-incorrect-hashes-is-my-user-input-processing-correct