Readonly span support

[ChrisMcKee]

Changes

Spans buffers and spans

Adds new methods that allow passing in a buffer

CreatePasswordHash(ReadOnlySpan<char> inputKey, ReadOnlySpan<char> salt,
        Span<char> outputBuffer, out int outputBufferWritten,
        HashType hashType = HashType.None,
        EnhancedHashDelegate enhancedHashKeyGen = null)

Adds in buffer zeroing when no longer needed to reduce time in memory.

Changed targeting and csproj defined constants to ensure net8 still gains the available support for span that came with the memory package and netstandard support. This could potentially start at 4.7.2 but the netstandard integration was iffy.

Validate input length (Breaking)

If the usage doesn't make use of the enhanced hash generation to retain entropy (aka the standard use) the library will throw when the input to hash length is greater than 72 bytes.
This isn't standard behaviour in most bcrypt libraries where truncating silently is the default.
But I believe this is necessary, should always have been in place, and will force developers to decide deliberately to truncate input at 72 if they wish to retain existing behaviour.

Enhanced Hashing V3

• Split 'enhanced' versions into separate classes
• Swap func for delegate
• Add span based calls

Along with switching the func to a bog standard delegate, splitting the enhanced versions into separate classes simplified maintaining the previous versions and adding in the new version.
The v3 enhanced hash adds in keyed HMAC which apart from protecting against theorical risks of shucking adds a further uniqueness to the produced key material.

Experimental SafeString support

Hate SafeString, it's filled with lies and was really only a useful feature in Windows. In an API it should never be touched but there are some cases in Windows apps where people still require it to tick a box so I've added a sort of basic implementation
This code requires unsafe enabled so will probably be disabled initially.

SecureEquals check

This basically needed to be made for the span handling but also allowed a few minor optimizations which mimic the code in the .net codebase.

Net 10

We basically try to tag against the lts releases; the code may be updated to target sts between releases to assertain if there is any performance improvement worth having but otherwise its lts.

Examples

The api uses the identity extension to enable bcrypt passwords; chucked in a maui to test performance on android as we've been asked before by people doing the hashing at the device level

Release Benchmarks

Separate project that tests previous nuget package versions; its mostly as a simple way to test for regressions in performance while the other benchmark project is for testing components in a more targeted way.

[github-actions]

Test Results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
0 suites ±0   0 💤 ±0 
0 files   ±0   0 ❌ ±0 

Results for commit c012ffc. ± Comparison against base commit 406d644.

♻️ This comment has been updated with latest results.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[Copilot]

Pull request overview

This PR adds comprehensive readonly span support to BCrypt.Net, targeting .NET 10 and introducing several major enhancements including span-based APIs, buffer zeroing for security, input length validation, Enhanced Hashing V3 with HMAC, and experimental SecureString support. The PR represents a significant modernization effort with breaking changes.

Changes:

• Adds span-based APIs for reduced allocations and improved performance
• Introduces input length validation (breaking change - throws on >72 bytes)
• Implements Enhanced Hashing V3 with keyed HMAC for additional security
• Updates target frameworks to .NET 10, .NET 8, and various .NET Framework versions

Reviewed changes

Copilot reviewed 138 out of 170 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
version.json	Updates schema URL and adds assembly version precision, duplicate key issue
tests/UnitTests/ThreadLocalStressTests.cs	New comprehensive stress tests for concurrent ThreadLocal usage
tests/UnitTests/Base64Tests.cs	Adds NETCOREAPP-specific span-based Base64 encoding tests
tests/UnitTests/BCryptTestsExtendedv3.cs	Updates copyright year, test refactoring with renamed variables
tests/UnitTests/BCrypt.Net.UnitTests.csproj	Updates to .NET 10, adds configurations and defines
tests/Directory.Build.props	Changes signing configuration and updates test packages
tests/BCrypt.Net.IdentityExtensions.Tests/*	New test project for Identity Extensions
stryker-config.json	New mutation testing configuration
src/create-preview-release.cmd	New command file for preview releases
src/Directory.Build.props	Updates package configuration, removes commented code
src/BCrypt.Net/SaltParseException.cs	Changes conditional compilation, updates documentation
src/BCrypt.Net/SafeStringExtension.cs	New SecureString support for .NET Core
src/BCrypt.Net/Properties/AssemblyInfo.cs	Updates InternalsVisibleTo with public keys
src/BCrypt.Net/HashType.cs	Reformats to file-scoped namespace
src/BCrypt.Net/HashParser.cs	Reformats, adds StringComparison.Ordinal
src/BCrypt.Net/Hash*.cs	Various refactorings and formatting changes
src/BCrypt.Net/BCryptExtendedV2*.cs	Refactors enhanced hashing, adds span support
src/BCrypt.Net/BCrypt.Net.csproj	Updates target frameworks, adds conditional defines
src/BCrypt.Net.IdentityExtensions/*	Updates for StringComparison, culture-aware operations
global.json	Updates SDK to 10.0.0
examples/*	Multiple new example projects and updates to .NET 10
docs/*	Documentation updates
benchmarks/*	Comprehensive benchmark refactoring and new projects
.github/workflows/*	CI/CD updates for .NET 10 and dependency updates

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.