bcgit
`BCrypt.generate(...)` is error-prone
The method BCrypt.generate(...) is quite error-prone because it expects that the caller adds a trailing null byte to the password, otherwise two passwords with one being the repetition of the other (e.g. "abc" and "abcabc") will have the same hash.
There have already been two issues about this here for this repository (#393, #1496), and if you perform a GitHub code search you will see that a lot of callers seem to not add a trailing null byte either. One reason might be that before be99e8d1178fd340bed3e536aef0dcab2f16fdf2 this requirement was not documented.
Given that this method is so error-prone and a large number of users seem to use it incorrectly, what do you think about marking it as @Deprecated (but not considering it for removal)? And mentioning that
BCrypt.generate(...)should be used for advanced use cases only- users might want to prefer
org.bouncycastle.crypto.generators.OpenBSDBCrypt(which delegatesBCrypt, is easier to use and offers a lot of convenience methods) - users who want to use
BCrypt.generate(...)must make sure the password is terminated by a null byte
Adjusting BCrypt.generate(...) to automatically add a null byte would probably be a breaking change, and not doing anything (not even marking it as deprecated) would risk that existing users don't become aware of this issue, and new users might run into the same issue as well.
The same probably applies to the C# version https://github.com/bcgit/bc-csharp/blob/master/crypto/src/crypto/generators/BCrypt.cs as well.