Botan  2.8.0
Crypto and TLS for C++11
bcrypt.cpp
Go to the documentation of this file.
1 /*
2 * Bcrypt Password Hashing
3 * (C) 2010,2018 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/bcrypt.h>
9 #include <botan/rng.h>
10 #include <botan/blowfish.h>
11 #include <botan/base64.h>
12 #include <botan/parsing.h>
13 
14 namespace Botan {
15 
16 namespace {
17 
18 std::string bcrypt_base64_encode(const uint8_t input[], size_t length)
19  {
20  // Bcrypt uses a non-standard base64 alphabet
21  const uint8_t OPENBSD_BASE64_SUB[256] = {
22  0x00, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
23  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
24  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
25  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x38, 0x80, 0x80, 0x80, 0x39,
26  0x79, 0x7A, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x80, 0x80,
27  0x80, 0x80, 0x80, 0x80, 0x80, 0x2E, 0x2F, 0x41, 0x42, 0x43, 0x44, 0x45,
28  0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51,
29  0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x80, 0x80, 0x80, 0x80, 0x80,
30  0x80, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69,
31  0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
32  0x76, 0x77, 0x78, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
33  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
34  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
35  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
36  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
37  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
38  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
39  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
40  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
41  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
42  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
43  0x80, 0x80, 0x80, 0x80
44  };
45 
46  std::string b64 = base64_encode(input, length);
47 
48  while(b64.size() && b64[b64.size()-1] == '=')
49  b64 = b64.substr(0, b64.size() - 1);
50 
51  for(size_t i = 0; i != b64.size(); ++i)
52  b64[i] = OPENBSD_BASE64_SUB[static_cast<uint8_t>(b64[i])];
53 
54  return b64;
55  }
56 
57 std::vector<uint8_t> bcrypt_base64_decode(std::string input)
58  {
59  const uint8_t OPENBSD_BASE64_SUB[256] = {
60  0x00, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
61  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
62  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
63  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x41, 0x42,
64  0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x2B, 0x2F, 0x80, 0x80,
65  0x80, 0x80, 0x80, 0x80, 0x80, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49,
66  0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55,
67  0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x80, 0x80, 0x80, 0x80, 0x80,
68  0x80, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D,
69  0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79,
70  0x7A, 0x30, 0x31, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
71  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
72  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
73  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
74  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
75  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
76  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
77  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
78  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
79  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
80  0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
81  0x80, 0x80, 0x80, 0x80
82  };
83 
84  for(size_t i = 0; i != input.size(); ++i)
85  input[i] = OPENBSD_BASE64_SUB[static_cast<uint8_t>(input[i])];
86 
87  return unlock(base64_decode(input));
88  }
89 
90 std::string make_bcrypt(const std::string& pass,
91  const std::vector<uint8_t>& salt,
92  uint16_t work_factor,
93  char version)
94  {
95  /*
96  * On a 4 GHz Skylake, workfactor == 18 takes about 15 seconds to
97  * hash a password. This seems like a reasonable upper bound for the
98  * time being.
99  * Bcrypt allows up to work factor 31 (2^31 iterations)
100  */
101  BOTAN_ARG_CHECK(work_factor >= 4 && work_factor <= 18,
102  "Invalid bcrypt work factor");
103 
104  static const uint8_t BCRYPT_MAGIC[8*3] = {
105  0x4F, 0x72, 0x70, 0x68, 0x65, 0x61, 0x6E, 0x42,
106  0x65, 0x68, 0x6F, 0x6C, 0x64, 0x65, 0x72, 0x53,
107  0x63, 0x72, 0x79, 0x44, 0x6F, 0x75, 0x62, 0x74
108  };
109 
110  Blowfish blowfish;
111 
112  // Include the trailing NULL byte, so we need c_str() not data()
113  blowfish.salted_set_key(cast_char_ptr_to_uint8(pass.c_str()),
114  pass.length() + 1,
115  salt.data(),
116  salt.size(),
117  work_factor);
118 
119  std::vector<uint8_t> ctext(BCRYPT_MAGIC, BCRYPT_MAGIC + 8*3);
120 
121  for(size_t i = 0; i != 64; ++i)
122  blowfish.encrypt_n(ctext.data(), ctext.data(), 3);
123 
124  std::string salt_b64 = bcrypt_base64_encode(salt.data(), salt.size());
125 
126  std::string work_factor_str = std::to_string(work_factor);
127  if(work_factor_str.length() == 1)
128  work_factor_str = "0" + work_factor_str;
129 
130  return "$2" + std::string(1, version) + "$" + work_factor_str +
131  "$" + salt_b64.substr(0, 22) +
132  bcrypt_base64_encode(ctext.data(), ctext.size() - 1);
133  }
134 
135 }
136 
137 std::string generate_bcrypt(const std::string& pass,
139  uint16_t work_factor,
140  char version)
141  {
142  /*
143  2a, 2b and 2y are identical for our purposes because our implementation of 2a
144  never had the truncation or signed char bugs in the first place.
145  */
146 
147  if(version != 'a' && version != 'b' && version != 'y')
148  throw Invalid_Argument("Unknown bcrypt version '" + std::string(1, version) + "'");
149  return make_bcrypt(pass, unlock(rng.random_vec(16)), work_factor, version);
150  }
151 
152 bool check_bcrypt(const std::string& pass, const std::string& hash)
153  {
154  if(hash.size() != 60 ||
155  hash[0] != '$' || hash[1] != '2' || hash[3] != '$' || hash[6] != '$')
156  {
157  return false;
158  }
159 
160  const char bcrypt_version = hash[2];
161 
162  if(bcrypt_version != 'a' && bcrypt_version != 'b' && bcrypt_version != 'y')
163  {
164  return false;
165  }
166 
167  const uint16_t workfactor = to_uint16(hash.substr(4, 2));
168 
169  const std::vector<uint8_t> salt = bcrypt_base64_decode(hash.substr(7, 22));
170  if(salt.size() != 16)
171  return false;
172 
173  const std::string compare = make_bcrypt(pass, salt, workfactor, bcrypt_version);
174 
175  return same_mem(hash.data(), compare.data(), compare.size());
176  }
177 
178 }
uint16_t to_uint16(const std::string &str)
Definition: parsing.cpp:21
secure_vector< uint8_t > random_vec(size_t bytes)
Definition: rng.h:141
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:158
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:131
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:161
Definition: alg_id.cpp:13
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
std::vector< T > unlock(const secure_vector< T > &in)
Definition: secmem.h:95
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition: base64.cpp:192
bool check_bcrypt(const std::string &pass, const std::string &hash)
Definition: bcrypt.cpp:152
MechanismType hash
std::string generate_bcrypt(const std::string &pass, RandomNumberGenerator &rng, uint16_t work_factor, char version)
Definition: bcrypt.cpp:137