I have a few questions on the code.
- Should the RNG being used not be one from the crypt libraries rather
than the Pharo one?
Probably, but I don't know the difference. I didn't want to have to load the Cryptography package to be able to use the FFI functions because I wanted to use the same code on Gemstone. And I'm not capable of knowing whether I ported the RNG or other parts accurately. Is there a way to use the Cryptography package RNG when its available or the default when its not? That might be helpful if people want to take advantage of it.
- The #checkPassWord:against method has the salt hardcoded at 30, yet
there is a method to set the length of the salt. Is there a reason for that?
Yes. Thats an error. It should have been 29. The extra character was dropped by the C library.
Bcrypt truncates the salt to the first 22 characters. The other 7 that are copied are the $2a$10$ that precedes the salt.
So it should be
BCryptLinuxFFI class>>#checkPassWord:against: checkPassword: password against: hash |salt| salt := hash copyFrom: 1 to:29.
^hash = (self ffiCrypt: password with: salt).
See: http://stackoverflow.com/questions/5881169/storing-a-hashed-password-bcrypt-...
I uploaded a new version with the above fix. I don't know of a list of issues that need some work. You might send a separate email to the list to see if anyone knows of one.
cryptography@lists.squeakfoundation.org