Botan 3.11.0
Crypto and TLS for C&
bcrypt.cpp
Go to the documentation of this file.
1/*
2* Bcrypt Password Hashing
3* (C) 2010,2018,2020 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/bcrypt.h>
9
10#include <botan/base64.h>
11#include <botan/exceptn.h>
12#include <botan/mem_ops.h>
13#include <botan/rng.h>
14#include <botan/internal/blowfish.h>
15#include <botan/internal/ct_utils.h>
16#include <botan/internal/fmt.h>
17#include <botan/internal/mem_utils.h>
18#include <botan/internal/parsing.h>
19
20namespace Botan {
21
22namespace {
23
24// Bcrypt uses a non-standard base64 alphabet
25uint8_t base64_to_bcrypt_encoding(uint8_t c) {
26 const auto is_ab = CT::Mask<uint8_t>::is_within_range(c, 'a', 'b');
27 const auto is_cz = CT::Mask<uint8_t>::is_within_range(c, 'c', 'z');
28 const auto is_CZ = CT::Mask<uint8_t>::is_within_range(c, 'C', 'Z');
29
30 const auto is_01 = CT::Mask<uint8_t>::is_within_range(c, '0', '1');
31 const auto is_29 = CT::Mask<uint8_t>::is_within_range(c, '2', '9');
32
33 const auto is_A = CT::Mask<uint8_t>::is_equal(c, 'A');
34 const auto is_B = CT::Mask<uint8_t>::is_equal(c, 'B');
35 const auto is_plus = CT::Mask<uint8_t>::is_equal(c, '+');
36 const auto is_slash = CT::Mask<uint8_t>::is_equal(c, '/');
37
38 uint8_t ret = 0x80;
39 ret = is_ab.select(c - 'a' + 'Y', ret);
40 ret = is_cz.select(c - 2, ret);
41 ret = is_CZ.select(c - 2, ret);
42 ret = is_01.select(c - '0' + 'y', ret);
43 ret = is_29.select(c - '2' + '0', ret);
44 ret = is_A.select('.', ret);
45 ret = is_B.select('/', ret);
46 ret = is_plus.select('8', ret);
47 ret = is_slash.select('9', ret);
48
49 return ret;
50}
51
52uint8_t bcrypt_encoding_to_base64(uint8_t c) {
53 const auto is_ax = CT::Mask<uint8_t>::is_within_range(c, 'a', 'x');
54 const auto is_yz = CT::Mask<uint8_t>::is_within_range(c, 'y', 'z');
55
56 const auto is_AX = CT::Mask<uint8_t>::is_within_range(c, 'A', 'X');
57 const auto is_YZ = CT::Mask<uint8_t>::is_within_range(c, 'Y', 'Z');
58 const auto is_07 = CT::Mask<uint8_t>::is_within_range(c, '0', '7');
59
60 const auto is_8 = CT::Mask<uint8_t>::is_equal(c, '8');
61 const auto is_9 = CT::Mask<uint8_t>::is_equal(c, '9');
62 const auto is_dot = CT::Mask<uint8_t>::is_equal(c, '.');
63 const auto is_slash = CT::Mask<uint8_t>::is_equal(c, '/');
64
65 uint8_t ret = 0x80;
66 ret = is_ax.select(c - 'a' + 'c', ret);
67 ret = is_yz.select(c - 'y' + '0', ret);
68 ret = is_AX.select(c - 'A' + 'C', ret);
69 ret = is_YZ.select(c - 'Y' + 'a', ret);
70 ret = is_07.select(c - '0' + '2', ret);
71 ret = is_8.select('+', ret);
72 ret = is_9.select('/', ret);
73 ret = is_dot.select('A', ret);
74 ret = is_slash.select('B', ret);
75
76 return ret;
77}
78
79std::string bcrypt_base64_encode(std::span<const uint8_t> input) {
80 std::string b64 = base64_encode(input);
81
82 while(!b64.empty() && b64.back() == '=') {
83 b64.pop_back();
84 }
85
86 for(char& c : b64) {
87 c = static_cast<char>(base64_to_bcrypt_encoding(static_cast<uint8_t>(c)));
88 }
89
90 return b64;
91}
92
93std::vector<uint8_t> bcrypt_base64_decode(std::string_view input) {
94 std::string translated;
95 for(const char c : input) {
96 translated.push_back(bcrypt_encoding_to_base64(static_cast<uint8_t>(c)));
97 }
98
99 return unlock(base64_decode(translated));
100}
101
102std::string make_bcrypt(std::string_view pass, std::span<const uint8_t> salt, uint16_t work_factor, char version) {
103 /*
104 * On a 4 GHz Skylake, workfactor == 18 takes about 15 seconds to
105 * hash a password. This seems like a reasonable upper bound for the
106 * time being.
107 * Bcrypt allows up to work factor 31 (2^31 iterations)
108 */
109 BOTAN_ARG_CHECK(work_factor >= 4 && work_factor <= 18, "Invalid bcrypt work factor");
110
111 alignas(64) static const uint8_t BCRYPT_MAGIC[8 * 3] = {0x4F, 0x72, 0x70, 0x68, 0x65, 0x61, 0x6E, 0x42,
112 0x65, 0x68, 0x6F, 0x6C, 0x64, 0x65, 0x72, 0x53,
113 0x63, 0x72, 0x79, 0x44, 0x6F, 0x75, 0x62, 0x74};
114
115 Blowfish blowfish;
116
117 // Bcrypt is defined with the key including the trailing NULL so we must copy it to a local
118 // variable since std::string_view is not necessarily NULL terminated.
119 secure_vector<uint8_t> pass_w_null(pass.size() + 1);
120 copy_mem(std::span{pass_w_null}.first(pass.size()), as_span_of_bytes(pass));
121
122 blowfish.salted_set_key(pass_w_null.data(), pass_w_null.size(), salt.data(), salt.size(), work_factor);
123
124 std::vector<uint8_t> ctext(BCRYPT_MAGIC, BCRYPT_MAGIC + 8 * 3);
125
126 for(size_t i = 0; i != 64; ++i) {
127 blowfish.encrypt_n(ctext.data(), ctext.data(), 3);
128 }
129
130 const std::string salt_b64 = bcrypt_base64_encode(salt);
131
132 std::string work_factor_str = std::to_string(work_factor);
133 if(work_factor_str.length() == 1) {
134 work_factor_str = "0" + work_factor_str;
135 }
136
137 return fmt("$2{}${}${}{}",
138 version,
139 work_factor_str,
140 salt_b64.substr(0, 22),
141 bcrypt_base64_encode(std::span{ctext}.first(ctext.size() - 1)));
142}
143
144} // namespace
145
146std::string generate_bcrypt(std::string_view pass, RandomNumberGenerator& rng, uint16_t work_factor, char version) {
147 /*
148 2a, 2b and 2y are identical for our purposes because our implementation of 2a
149 never had the truncation or signed char bugs in the first place.
150 */
151
152 if(version != 'a' && version != 'b' && version != 'y') {
153 throw Invalid_Argument("Unknown bcrypt version '" + std::string(1, version) + "'");
154 }
155
156 std::vector<uint8_t> salt;
157 rng.random_vec(salt, 16);
158 return make_bcrypt(pass, salt, work_factor, version);
159}
160
161bool check_bcrypt(std::string_view pass, std::string_view hash) {
162 if(hash.size() != 60 || hash[0] != '$' || hash[1] != '2' || hash[3] != '$' || hash[6] != '$') {
163 return false;
164 }
165
166 const char bcrypt_version = hash[2];
167
168 if(bcrypt_version != 'a' && bcrypt_version != 'b' && bcrypt_version != 'y') {
169 return false;
170 }
171
172 const uint16_t workfactor = to_uint16(hash.substr(4, 2));
173
174 const std::vector<uint8_t> salt = bcrypt_base64_decode(hash.substr(7, 22));
175 if(salt.size() != 16) {
176 return false;
177 }
178
179 const std::string compare = make_bcrypt(pass, salt, workfactor, bcrypt_version);
180
181 return CT::is_equal(as_span_of_bytes(hash), as_span_of_bytes(compare)).as_bool();
182}
183
184} // namespace Botan
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::CT::Mask::is_within_range
static constexpr Mask< T > is_within_range(T v, T l, T u)
Definition ct_utils.h:470
Botan::CT::Mask::is_equal
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:442
Botan::Invalid_Argument
Definition exceptn.h:132
Botan::RandomNumberGenerator::random_vec
void random_vec(std::span< uint8_t > v)
Definition rng.h:204
Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:798
Botan::to_uint16
uint16_t to_uint16(std::string_view str)
Definition parsing.cpp:22
Botan::as_span_of_bytes
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
Definition mem_utils.h:59
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
Botan::generate_bcrypt
std::string generate_bcrypt(std::string_view pass, RandomNumberGenerator &rng, uint16_t work_factor, char version)
Definition bcrypt.cpp:146
Botan::base64_encode
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base64.cpp:159
Botan::base64_decode
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base64.cpp:167
Botan::unlock
std::vector< T > unlock(const secure_vector< T > &in)
Definition secmem.h:85
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::check_bcrypt
bool check_bcrypt(std::string_view pass, std::string_view hash)
Definition bcrypt.cpp:161
Generated by doxygen 1.15.0