From 6d7273c6a3048573e02da5621b994f133c0f32a5 Mon Sep 17 00:00:00 2001 From: Hatter Jiang Date: Sat, 12 Jul 2025 21:25:42 +0800 Subject: [PATCH] feat: add crypto bcrypt issue test --- README.md | 23 +-- __crypto/okta-bcrypt-issue/Cargo.lock | 257 +++++++++++++++++++++++++ __crypto/okta-bcrypt-issue/Cargo.toml | 9 + __crypto/okta-bcrypt-issue/src/main.rs | 33 ++++ 4 files changed, 311 insertions(+), 11 deletions(-) create mode 100644 __crypto/okta-bcrypt-issue/Cargo.lock create mode 100644 __crypto/okta-bcrypt-issue/Cargo.toml create mode 100644 __crypto/okta-bcrypt-issue/src/main.rs diff --git a/README.md b/README.md index bef15dc..da9b0ee 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Simple Rust Tests Project or files: ``` . +├── README_2.md ├── __alloc │   └── zeroizing-alloc-demo ├── __args @@ -17,8 +18,8 @@ Project or files: │   └── zstd-demo ├── __concurrent │   ├── arc-swap -│   ├── async_study │   ├── async-fn-resumed-after-completion +│   ├── async_study │   ├── crossbeam_n_parking_lot │   ├── glommio │   ├── green-threads @@ -44,6 +45,7 @@ Project or files: │   ├── jose-test │   ├── jsonwebtoken │   ├── liboqs-rust-demo +│   ├── okta-bcrypt-issue │   ├── orion-demo │   ├── passkey-rs-demo │   ├── password-hash @@ -77,7 +79,7 @@ Project or files: │   └── sqlx ├── __diff │   ├── diffy -│   ├── prettydiff +│   └── prettydiff ├── __enclave │   └── virt_enclave ├── __err @@ -89,9 +91,9 @@ Project or files: ├── __ffi │   ├── abi_stable_crates │   ├── c +│   ├── c2 │   ├── c_export │   ├── c_layout -│   ├── c2 │   ├── calltoc │   ├── cpp │   ├── dotalib @@ -102,7 +104,7 @@ Project or files: ├── __fs │   ├── crypt4ghfs-rust │   ├── fuse -│   ├── fuser +│   └── fuser ├── __gui │   ├── druid │   ├── gtk @@ -176,8 +178,8 @@ Project or files: │   ├── ngrok-demo │   ├── pcap │   ├── quinn -│   ├── rust_tcp │   ├── rust-rawsock-demo +│   ├── rust_tcp │   ├── s2n_quic │   ├── socket2 │   ├── tcp @@ -222,10 +224,10 @@ Project or files: │   ├── sshrs │   └── xshell ├── __shuttle -│   ├── hatter-test +│   └── hatter-test ├── __std -│   ├── async_await │   ├── async-fn +│   ├── async_await │   ├── into │   ├── iter │   ├── misc @@ -268,8 +270,8 @@ Project or files: │   ├── wasmtime-serde-demo │   └── wit-bindgen-sample ├── __web -│   ├── actix_rustls │   ├── actix-web +│   ├── actix_rustls │   ├── alibabacloundfn │   ├── hyper_rustls │   ├── hyperrs @@ -283,9 +285,8 @@ Project or files: │   ├── tide │   └── warp ├── build_readme.rs -> scripts/build_readme_rs/src/main.rs -├── README_2.md ├── scripts -│   ├── build_readme_rs +│   └── build_readme_rs └── single_file_tests ├── 99.rs ├── chain.rs @@ -309,6 +310,6 @@ Project or files: ├── vec.rs └── while.rs -281 directories, 38 files +282 directories, 38 files ``` diff --git a/__crypto/okta-bcrypt-issue/Cargo.lock b/__crypto/okta-bcrypt-issue/Cargo.lock new file mode 100644 index 0000000..94ecca5 --- /dev/null +++ b/__crypto/okta-bcrypt-issue/Cargo.lock @@ -0,0 +1,257 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 4 + +[[package]] +name = "base64" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" + +[[package]] +name = "bcrypt" +version = "0.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92758ad6077e4c76a6cadbce5005f666df70d4f13b19976b1a8062eef880040f" +dependencies = [ + "base64", + "blowfish", + "getrandom", + "subtle", + "zeroize", +] + +[[package]] +name = "bitflags" +version = "2.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1b8e56985ec62d17e9c1001dc89c88ecd7dc08e47eba5ec7c29c7b5eeecde967" + +[[package]] +name = "blowfish" +version = "0.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e412e2cd0f2b2d93e02543ceae7917b3c70331573df19ee046bcbc35e45e87d7" +dependencies = [ + "byteorder", + "cipher", +] + +[[package]] +name = "byteorder" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" + +[[package]] +name = "cfg-if" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9555578bc9e57714c812a1f84e4fc5b4d21fcb063490c624de019f7464c91268" + +[[package]] +name = "cipher" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad" +dependencies = [ + "crypto-common", + "inout", +] + +[[package]] +name = "crypto-common" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" +dependencies = [ + "generic-array", + "typenum", +] + +[[package]] +name = "generic-array" +version = "0.14.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" +dependencies = [ + "typenum", + "version_check", +] + +[[package]] +name = "getrandom" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4" +dependencies = [ + "cfg-if", + "libc", + "r-efi", + "wasi", +] + +[[package]] +name = "inout" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01" +dependencies = [ + "generic-array", +] + +[[package]] +name = "libc" +version = "0.2.174" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776" + +[[package]] +name = "okta-bcrypt-issue" +version = "0.1.0" +dependencies = [ + "base64", + "bcrypt", + "rand", +] + +[[package]] +name = "ppv-lite86" +version = "0.2.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9" +dependencies = [ + "zerocopy", +] + +[[package]] +name = "proc-macro2" +version = "1.0.95" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "02b3e5e68a3a1a02aad3ec490a98007cbc13c37cbe84a3cd7b8e406d76e7f778" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.40" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "r-efi" +version = "5.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" + +[[package]] +name = "rand" +version = "0.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9fbfd9d094a40bf3ae768db9361049ace4c0e04a4fd6b359518bd7b73a73dd97" +dependencies = [ + "rand_chacha", + "rand_core", +] + +[[package]] +name = "rand_chacha" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" +dependencies = [ + "ppv-lite86", + "rand_core", +] + +[[package]] +name = "rand_core" +version = "0.9.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38" +dependencies = [ + "getrandom", +] + +[[package]] +name = "subtle" +version = "2.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" + +[[package]] +name = "syn" +version = "2.0.104" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "17b6f705963418cdb9927482fa304bc562ece2fdd4f616084c50b7023b435a40" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "typenum" +version = "1.18.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1dccffe3ce07af9386bfd29e80c0ab1a8205a2fc34e4bcd40364df902cfa8f3f" + +[[package]] +name = "unicode-ident" +version = "1.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512" + +[[package]] +name = "version_check" +version = "0.9.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" + +[[package]] +name = "wasi" +version = "0.14.2+wasi-0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9683f9a5a998d873c0d21fcbe3c083009670149a8fab228644b8bd36b2c48cb3" +dependencies = [ + "wit-bindgen-rt", +] + +[[package]] +name = "wit-bindgen-rt" +version = "0.39.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6f42320e61fe2cfd34354ecb597f86f413484a798ba44a8ca1165c58d42da6c1" +dependencies = [ + "bitflags", +] + +[[package]] +name = "zerocopy" +version = "0.8.26" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1039dd0d3c310cf05de012d8a39ff557cb0d23087fd44cad61df08fc31907a2f" +dependencies = [ + "zerocopy-derive", +] + +[[package]] +name = "zerocopy-derive" +version = "0.8.26" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ecf5b4cc5364572d7f4c329661bcc82724222973f2cab6f050a4e5c22f75181" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "zeroize" +version = "1.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde" diff --git a/__crypto/okta-bcrypt-issue/Cargo.toml b/__crypto/okta-bcrypt-issue/Cargo.toml new file mode 100644 index 0000000..ba00d1c --- /dev/null +++ b/__crypto/okta-bcrypt-issue/Cargo.toml @@ -0,0 +1,9 @@ +[package] +name = "okta-bcrypt-issue" +version = "0.1.0" +edition = "2024" + +[dependencies] +base64 = "0.22.1" +bcrypt = "0.17.0" +rand = "0.9.1" diff --git a/__crypto/okta-bcrypt-issue/src/main.rs b/__crypto/okta-bcrypt-issue/src/main.rs new file mode 100644 index 0000000..d1022a0 --- /dev/null +++ b/__crypto/okta-bcrypt-issue/src/main.rs @@ -0,0 +1,33 @@ +use rand::RngCore; +use base64::{Engine as _, engine::general_purpose::URL_SAFE}; +use std::error::Error; + +fn random_string(length: usize) -> String { + let mut bytes = vec![0u8; length]; + rand::rng().fill_bytes(&mut bytes); + URL_SAFE.encode(&bytes)[..length].to_string() +} + +// https://n0rdy.foo/posts/20250121/okta-bcrypt-lessons-for-better-apis/ +fn main() -> Result<(), Box> { + // 18 + 55 + 1 = 74, so above 72 characters' limit of BCrypt + let user_id = random_string(18); + let username = random_string(55); + let password = "super-duper-secure-password"; + + let combined_string = format!("{}:{}:{}", user_id, username, password); + let combined_hash = bcrypt::hash(combined_string.as_bytes(), bcrypt::DEFAULT_COST)?; + + // let's try to break it + let wrong_password = "wrong-password"; + let wrong_combined_string = format!("{}:{}:{}", user_id, username, wrong_password); + + match bcrypt::verify(wrong_combined_string.as_bytes(), &combined_hash) { + Ok(true) => println!("Password is correct"), + Ok(false) => println!("Password is incorrect"), + Err(e) => println!("{}", e), + } + + Ok(()) +} +