[Solved]Recommendation for a compatible bcrypt

[rdxdt]

Hi i've been trying to use this unit for bcrypt https://github.com/hiraethbbs/pascal_bcrypt/blob/master/BCrypt.pas
But it doesn't work well when the password hash is generated by python's bcrypt https://pypi.org/project/bcrypt/
Anyone can recommend me a BCrypt library that is compatible with the hashes that python bcrypt library generates?

Solution: I'm doing the authentication using an endpoint in my python flask app that validates the credentials.

[LeP]

I don't know about Python, but I use for Windows very old units (10 years old or more, with support to TLS1V2, not TLS1v3) and I never had any issues (even if I don't use them intensively).
But they are only for Windows, so I don't know if they are compatible with Python.

... and I use them with Delphi ...

If you need them I post here a zip.

[rdxdt]

I don't know about Python, but I use for Windows very old units (10 years old or more, with support to TLS1V2, not TLS1v3) and I never had any issues (even if I don't use them intensively).
But they are only for Windows, so I don't know if they are compatible with Python.

... and I use them with Delphi ...

If you need them I post here a zip.

TLS? Bcrypt is a password hashing algorithm,

Let me give more context about what i'm doing, my company developed ERP and it is written in python using Flask, so it is a webapp, but now i'm developing the point of sale software, and i need to authenticate the users created within the erp, and in the ERP the user password is stored in the database hashed with bcrypt, so when the point of sale software tries to authenticate it must verify the password against the hash, which is where it is failing with the unit i am using right now.
Maybe it is some different algorithm or differences in a magic number that is used to make the salt.

[Xor-el]

The BCrypt ecosystem is unfortunately quite messy. There are several variations and implementation-specific nuances, and compatibility issues between different BCrypt implementations are not uncommon.

My suggestion would be to create a comprehensive test suite and run the same test vectors against both implementations. That should help identify exactly where they diverge and whether the differences can be accommodated or worked around in your implementation.

[rdxdt]

The BCrypt ecosystem is unfortunately quite messy. There are several variations and implementation-specific nuances, and compatibility issues between different BCrypt implementations are not uncommon.

My suggestion would be to create a comprehensive test suite and run the same test vectors against both implementations. That should help identify exactly where they diverge and whether the differences can be accommodated or worked around in your implementation.

Too much hassle, i've decided to leave the authentication completely on the web app side, and make an api route in the web app that receives the username and password(obviously over https) authenticates and return the UID and a result code in a json

[LeP]

TLS? Bcrypt is a password hashing algorithm,

TLS can be used in Key Derivation (KDF) functions in place of "secret", "hash", and "hmac".
I don't know much about it, but this is it.

[jamie]

https://github.com/rg3/libbcrypt/blob/master/crypt_blowfish/crypt_blowfish.c

Looks like it was copied from there.

I bet there is a translation error.

Jamie

[LeP]

@jamie
Mine are wrappers around Windows systems crypto libs (bcrypt.dll, ncrypt.dll and others).

[Thaddy]

There are also the MS bcrypt wrappers that I wrote but these do not have 100% coverage of the fulll api's..
these are partly on the fp-devel ~1 year ago.
I discussed it with MvC, but then my tumor was discovered and that was the reason it was not finished.
Maybe you did a better job. I used the FPC Windows style (Pointer params) , not the Delphi windows style (var or out params where param can not be nil).

[Warfley]

There can be more issues than just the algorithm. E.g. are you sure the encoding is the same? Also have you checked if python maybe hashes the 0 terminator as well and pascal doesn't?

Best check that the data in python is binary and bytewise identical with the pascal data

[Xor-el]

Just to avoid any confusion, the bcrypt.dll provided by Windows is unfortunately named. It exposes the CNG (Cryptography Next Generation) API and supports algorithms such as AES, SHA-1/2, RSA, ECDSA, PBKDF2, etc., but it does not implement the OpenBSD bcrypt password hashing algorithm ($2a$, $2b$, $2y$ hashes) been discussed in this thread.

[marcov]

There are also the MS bcrypt wrappers that I wrote but these do not have 100% coverage of the fulll api's..
these are partly on the fp-devel ~1 year ago.

(fyi A lot of blowfish(2) revs were merged to the fixes branch (for post rc1 3.2.4)  a few weeks ago)