Whenever you verify a hash the returned in the result is always $2a$:
Sample case:
Hasher hasher = BCrypt.with(Version.VERSION_2B);
long start = System.currentTimeMillis();
System.out.println("start");
byte[] hash = hasher.hash(12, "abc321".getBytes(StandardCharsets.UTF_8));
System.out.println("end");
System.out.println("Took " + (System.currentTimeMillis() - start) + "ms");
Verifyer verifier = BCrypt.verifyer();
start = System.currentTimeMillis();
System.out.println("start");
System.out.println(verifier.verifyStrict("abc321".getBytes(StandardCharsets.UTF_8), hash, Version.VERSION_2B));
System.out.println("end");
System.out.println("Took " + (System.currentTimeMillis() - start) + "ms");Output:
start
end
Took 375ms
start
Result{details=HashData{cost=12, version=$2a$, rawSalt=63307d3ec2480e8b1840095fc8ce0d06, rawHash=77ce9567471ac1e2d1600a1219d26c9b5f67915df519c1}, validFormat=true, verified=true, formatErrorMessage='null'}
end
Took 305ms
This happens with both verify and verifyStrict.
As far as i could pinpoint, both functions end up calling this method which completely ignores the requested hash version and ends up using BCrypt.withDefaults().
Even though this seems to have no effect in the verification result it is an issue that can be fixed quickly.
Whenever you verify a hash the returned in the result is always
$2a$:Sample case:
Output:
This happens with both
verifyandverifyStrict.As far as i could pinpoint, both functions end up calling this method which completely ignores the requested hash version and ends up using
BCrypt.withDefaults().Even though this seems to have no effect in the verification result it is an issue that can be fixed quickly.