Generic formula to calculate $raw_salt_len #27
Conversation
Added a generic formula to calculate $raw_salt_len, it will always generate the least amount of data required for a given $required_salt_len.
|
No, it's not wrong. |
|
I see now where you're coming from: Given a number n of Base64 digits, you calculate the number of bytes so that the Base64 encoding will have at least n digits. You can easily see that this makes no sense when you look at the bits. No matter how you interpret the meaning of the variables, you get inconsistent results: Let Now take I can't both be right. The general problem is that you cannot simply derive the number of bits required by the algorithm if all you have is the number of Base64 digits. For example, bcrypt uses 22 Base64 digits. This gives us a theoretical salt length of 132 bits. To cover all those bits, we would need 17 bytes of raw salt. In reality, however, bcrypt expects 16 bytes of salt. The remaining 4 bits in the Base64 representation are not used. This can only be explained with the inner workings of bcrypt. There is no general formula for that. I see two solutions: We assume that all algorithms operate on full bytes of salt. So we'll never have something like 132 bits of salt, only 8, 16, 32 ... The value of Or we simply hard-code the data -- which is what the library currently does. In case some future algorithm doesn't use full bytes of salt, we'll have to go down to bits. But your formula is definitely wrong. |
Added a generic formula to calculate $raw_salt_len, it will always return the value for least amount of data required for a given $required_salt_len.