You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

292 lines
7.7 KiB

  1. package bcrypt
  2. // MODIFIED BY TENDERMINT TO EXPOSE NONCE
  3. // Copyright 2011 The Go Authors. All rights reserved.
  4. // Use of this source code is governed by a BSD-style
  5. // license that can be found in the LICENSE file.
  6. // Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
  7. // algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
  8. // The code is a port of Provos and Mazières's C implementation.
  9. import (
  10. "crypto/subtle"
  11. "errors"
  12. "fmt"
  13. "strconv"
  14. "golang.org/x/crypto/blowfish"
  15. )
  16. const (
  17. MinCost int = 4 // the minimum allowable cost as passed in to GenerateFromPassword
  18. MaxCost int = 31 // the maximum allowable cost as passed in to GenerateFromPassword
  19. DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword
  20. )
  21. // The error returned from CompareHashAndPassword when a password and hash do
  22. // not match.
  23. var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password")
  24. // The error returned from CompareHashAndPassword when a hash is too short to
  25. // be a bcrypt hash.
  26. var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password")
  27. // The error returned from CompareHashAndPassword when a hash was created with
  28. // a bcrypt algorithm newer than this implementation.
  29. type HashVersionTooNewError byte
  30. func (hv HashVersionTooNewError) Error() string {
  31. return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion)
  32. }
  33. // The error returned from CompareHashAndPassword when a hash starts with something other than '$'
  34. type InvalidHashPrefixError byte
  35. func (ih InvalidHashPrefixError) Error() string {
  36. return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih))
  37. }
  38. type InvalidCostError int
  39. func (ic InvalidCostError) Error() string {
  40. return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), int(MinCost), int(MaxCost))
  41. }
  42. const (
  43. majorVersion = '2'
  44. minorVersion = 'a'
  45. maxSaltSize = 16
  46. maxCryptedHashSize = 23
  47. encodedSaltSize = 22
  48. encodedHashSize = 31
  49. minHashSize = 59
  50. )
  51. // magicCipherData is an IV for the 64 Blowfish encryption calls in
  52. // bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes.
  53. var magicCipherData = []byte{
  54. 0x4f, 0x72, 0x70, 0x68,
  55. 0x65, 0x61, 0x6e, 0x42,
  56. 0x65, 0x68, 0x6f, 0x6c,
  57. 0x64, 0x65, 0x72, 0x53,
  58. 0x63, 0x72, 0x79, 0x44,
  59. 0x6f, 0x75, 0x62, 0x74,
  60. }
  61. type hashed struct {
  62. hash []byte
  63. salt []byte
  64. cost int // allowed range is MinCost to MaxCost
  65. major byte
  66. minor byte
  67. }
  68. // GenerateFromPassword returns the bcrypt hash of the password at the given
  69. // cost. If the cost given is less than MinCost, the cost will be set to
  70. // DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
  71. // to compare the returned hashed password with its cleartext version.
  72. func GenerateFromPassword(salt []byte, password []byte, cost int) ([]byte, error) {
  73. if len(salt) != maxSaltSize {
  74. return nil, fmt.Errorf("Salt len must be %v", maxSaltSize)
  75. }
  76. p, err := newFromPassword(salt, password, cost)
  77. if err != nil {
  78. return nil, err
  79. }
  80. return p.Hash(), nil
  81. }
  82. // CompareHashAndPassword compares a bcrypt hashed password with its possible
  83. // plaintext equivalent. Returns nil on success, or an error on failure.
  84. func CompareHashAndPassword(hashedPassword, password []byte) error {
  85. p, err := newFromHash(hashedPassword)
  86. if err != nil {
  87. return err
  88. }
  89. otherHash, err := bcrypt(password, p.cost, p.salt)
  90. if err != nil {
  91. return err
  92. }
  93. otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor}
  94. if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 {
  95. return nil
  96. }
  97. return ErrMismatchedHashAndPassword
  98. }
  99. // Cost returns the hashing cost used to create the given hashed
  100. // password. When, in the future, the hashing cost of a password system needs
  101. // to be increased in order to adjust for greater computational power, this
  102. // function allows one to establish which passwords need to be updated.
  103. func Cost(hashedPassword []byte) (int, error) {
  104. p, err := newFromHash(hashedPassword)
  105. if err != nil {
  106. return 0, err
  107. }
  108. return p.cost, nil
  109. }
  110. func newFromPassword(salt []byte, password []byte, cost int) (*hashed, error) {
  111. if cost < MinCost {
  112. cost = DefaultCost
  113. }
  114. p := new(hashed)
  115. p.major = majorVersion
  116. p.minor = minorVersion
  117. err := checkCost(cost)
  118. if err != nil {
  119. return nil, err
  120. }
  121. p.cost = cost
  122. p.salt = base64Encode(salt)
  123. hash, err := bcrypt(password, p.cost, p.salt)
  124. if err != nil {
  125. return nil, err
  126. }
  127. p.hash = hash
  128. return p, err
  129. }
  130. func newFromHash(hashedSecret []byte) (*hashed, error) {
  131. if len(hashedSecret) < minHashSize {
  132. return nil, ErrHashTooShort
  133. }
  134. p := new(hashed)
  135. n, err := p.decodeVersion(hashedSecret)
  136. if err != nil {
  137. return nil, err
  138. }
  139. hashedSecret = hashedSecret[n:]
  140. n, err = p.decodeCost(hashedSecret)
  141. if err != nil {
  142. return nil, err
  143. }
  144. hashedSecret = hashedSecret[n:]
  145. // The "+2" is here because we'll have to append at most 2 '=' to the salt
  146. // when base64 decoding it in expensiveBlowfishSetup().
  147. p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2)
  148. copy(p.salt, hashedSecret[:encodedSaltSize])
  149. hashedSecret = hashedSecret[encodedSaltSize:]
  150. p.hash = make([]byte, len(hashedSecret))
  151. copy(p.hash, hashedSecret)
  152. return p, nil
  153. }
  154. func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) {
  155. cipherData := make([]byte, len(magicCipherData))
  156. copy(cipherData, magicCipherData)
  157. c, err := expensiveBlowfishSetup(password, uint32(cost), salt)
  158. if err != nil {
  159. return nil, err
  160. }
  161. for i := 0; i < 24; i += 8 {
  162. for j := 0; j < 64; j++ {
  163. c.Encrypt(cipherData[i:i+8], cipherData[i:i+8])
  164. }
  165. }
  166. // Bug compatibility with C bcrypt implementations. We only encode 23 of
  167. // the 24 bytes encrypted.
  168. hsh := base64Encode(cipherData[:maxCryptedHashSize])
  169. return hsh, nil
  170. }
  171. func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) {
  172. csalt, err := base64Decode(salt)
  173. if err != nil {
  174. return nil, err
  175. }
  176. // Bug compatibility with C bcrypt implementations. They use the trailing
  177. // NULL in the key string during expansion.
  178. ckey := append(key, 0)
  179. c, err := blowfish.NewSaltedCipher(ckey, csalt)
  180. if err != nil {
  181. return nil, err
  182. }
  183. var i, rounds uint64
  184. rounds = 1 << cost
  185. for i = 0; i < rounds; i++ {
  186. blowfish.ExpandKey(ckey, c)
  187. blowfish.ExpandKey(csalt, c)
  188. }
  189. return c, nil
  190. }
  191. func (p *hashed) Hash() []byte {
  192. arr := make([]byte, 60)
  193. arr[0] = '$'
  194. arr[1] = p.major
  195. n := 2
  196. if p.minor != 0 {
  197. arr[2] = p.minor
  198. n = 3
  199. }
  200. arr[n] = '$'
  201. n += 1
  202. copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost)))
  203. n += 2
  204. arr[n] = '$'
  205. n += 1
  206. copy(arr[n:], p.salt)
  207. n += encodedSaltSize
  208. copy(arr[n:], p.hash)
  209. n += encodedHashSize
  210. return arr[:n]
  211. }
  212. func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
  213. if sbytes[0] != '$' {
  214. return -1, InvalidHashPrefixError(sbytes[0])
  215. }
  216. if sbytes[1] > majorVersion {
  217. return -1, HashVersionTooNewError(sbytes[1])
  218. }
  219. p.major = sbytes[1]
  220. n := 3
  221. if sbytes[2] != '$' {
  222. p.minor = sbytes[2]
  223. n++
  224. }
  225. return n, nil
  226. }
  227. // sbytes should begin where decodeVersion left off.
  228. func (p *hashed) decodeCost(sbytes []byte) (int, error) {
  229. cost, err := strconv.Atoi(string(sbytes[0:2]))
  230. if err != nil {
  231. return -1, err
  232. }
  233. err = checkCost(cost)
  234. if err != nil {
  235. return -1, err
  236. }
  237. p.cost = cost
  238. return 3, nil
  239. }
  240. func (p *hashed) String() string {
  241. return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor)
  242. }
  243. func checkCost(cost int) error {
  244. if cost < MinCost || cost > MaxCost {
  245. return InvalidCostError(cost)
  246. }
  247. return nil
  248. }