bcrypt.go 7.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294
  1. // Copyright 2011 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. // Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
  5. // algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
  6. package bcrypt
  7. // The code is a port of Provos and Mazières's C implementation.
  8. import (
  9. "crypto/rand"
  10. "crypto/subtle"
  11. "errors"
  12. "fmt"
  13. "golang.org/x/crypto/blowfish"
  14. "io"
  15. "strconv"
  16. )
  17. const (
  18. MinCost int = 4 // the minimum allowable cost as passed in to GenerateFromPassword
  19. MaxCost int = 31 // the maximum allowable cost as passed in to GenerateFromPassword
  20. DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword
  21. )
  22. // The error returned from CompareHashAndPassword when a password and hash do
  23. // not match.
  24. var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password")
  25. // The error returned from CompareHashAndPassword when a hash is too short to
  26. // be a bcrypt hash.
  27. var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password")
  28. // The error returned from CompareHashAndPassword when a hash was created with
  29. // a bcrypt algorithm newer than this implementation.
  30. type HashVersionTooNewError byte
  31. func (hv HashVersionTooNewError) Error() string {
  32. return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion)
  33. }
  34. // The error returned from CompareHashAndPassword when a hash starts with something other than '$'
  35. type InvalidHashPrefixError byte
  36. func (ih InvalidHashPrefixError) Error() string {
  37. return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih))
  38. }
  39. type InvalidCostError int
  40. func (ic InvalidCostError) Error() string {
  41. return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), int(MinCost), int(MaxCost))
  42. }
  43. const (
  44. majorVersion = '2'
  45. minorVersion = 'a'
  46. maxSaltSize = 16
  47. maxCryptedHashSize = 23
  48. encodedSaltSize = 22
  49. encodedHashSize = 31
  50. minHashSize = 59
  51. )
  52. // magicCipherData is an IV for the 64 Blowfish encryption calls in
  53. // bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes.
  54. var magicCipherData = []byte{
  55. 0x4f, 0x72, 0x70, 0x68,
  56. 0x65, 0x61, 0x6e, 0x42,
  57. 0x65, 0x68, 0x6f, 0x6c,
  58. 0x64, 0x65, 0x72, 0x53,
  59. 0x63, 0x72, 0x79, 0x44,
  60. 0x6f, 0x75, 0x62, 0x74,
  61. }
  62. type hashed struct {
  63. hash []byte
  64. salt []byte
  65. cost int // allowed range is MinCost to MaxCost
  66. major byte
  67. minor byte
  68. }
  69. // GenerateFromPassword returns the bcrypt hash of the password at the given
  70. // cost. If the cost given is less than MinCost, the cost will be set to
  71. // DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
  72. // to compare the returned hashed password with its cleartext version.
  73. func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
  74. p, err := newFromPassword(password, cost)
  75. if err != nil {
  76. return nil, err
  77. }
  78. return p.Hash(), nil
  79. }
  80. // CompareHashAndPassword compares a bcrypt hashed password with its possible
  81. // plaintext equivalent. Returns nil on success, or an error on failure.
  82. func CompareHashAndPassword(hashedPassword, password []byte) error {
  83. p, err := newFromHash(hashedPassword)
  84. if err != nil {
  85. return err
  86. }
  87. otherHash, err := bcrypt(password, p.cost, p.salt)
  88. if err != nil {
  89. return err
  90. }
  91. otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor}
  92. if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 {
  93. return nil
  94. }
  95. return ErrMismatchedHashAndPassword
  96. }
  97. // Cost returns the hashing cost used to create the given hashed
  98. // password. When, in the future, the hashing cost of a password system needs
  99. // to be increased in order to adjust for greater computational power, this
  100. // function allows one to establish which passwords need to be updated.
  101. func Cost(hashedPassword []byte) (int, error) {
  102. p, err := newFromHash(hashedPassword)
  103. if err != nil {
  104. return 0, err
  105. }
  106. return p.cost, nil
  107. }
  108. func newFromPassword(password []byte, cost int) (*hashed, error) {
  109. if cost < MinCost {
  110. cost = DefaultCost
  111. }
  112. p := new(hashed)
  113. p.major = majorVersion
  114. p.minor = minorVersion
  115. err := checkCost(cost)
  116. if err != nil {
  117. return nil, err
  118. }
  119. p.cost = cost
  120. unencodedSalt := make([]byte, maxSaltSize)
  121. _, err = io.ReadFull(rand.Reader, unencodedSalt)
  122. if err != nil {
  123. return nil, err
  124. }
  125. p.salt = base64Encode(unencodedSalt)
  126. hash, err := bcrypt(password, p.cost, p.salt)
  127. if err != nil {
  128. return nil, err
  129. }
  130. p.hash = hash
  131. return p, err
  132. }
  133. func newFromHash(hashedSecret []byte) (*hashed, error) {
  134. if len(hashedSecret) < minHashSize {
  135. return nil, ErrHashTooShort
  136. }
  137. p := new(hashed)
  138. n, err := p.decodeVersion(hashedSecret)
  139. if err != nil {
  140. return nil, err
  141. }
  142. hashedSecret = hashedSecret[n:]
  143. n, err = p.decodeCost(hashedSecret)
  144. if err != nil {
  145. return nil, err
  146. }
  147. hashedSecret = hashedSecret[n:]
  148. // The "+2" is here because we'll have to append at most 2 '=' to the salt
  149. // when base64 decoding it in expensiveBlowfishSetup().
  150. p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2)
  151. copy(p.salt, hashedSecret[:encodedSaltSize])
  152. hashedSecret = hashedSecret[encodedSaltSize:]
  153. p.hash = make([]byte, len(hashedSecret))
  154. copy(p.hash, hashedSecret)
  155. return p, nil
  156. }
  157. func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) {
  158. cipherData := make([]byte, len(magicCipherData))
  159. copy(cipherData, magicCipherData)
  160. c, err := expensiveBlowfishSetup(password, uint32(cost), salt)
  161. if err != nil {
  162. return nil, err
  163. }
  164. for i := 0; i < 24; i += 8 {
  165. for j := 0; j < 64; j++ {
  166. c.Encrypt(cipherData[i:i+8], cipherData[i:i+8])
  167. }
  168. }
  169. // Bug compatibility with C bcrypt implementations. We only encode 23 of
  170. // the 24 bytes encrypted.
  171. hsh := base64Encode(cipherData[:maxCryptedHashSize])
  172. return hsh, nil
  173. }
  174. func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) {
  175. csalt, err := base64Decode(salt)
  176. if err != nil {
  177. return nil, err
  178. }
  179. // Bug compatibility with C bcrypt implementations. They use the trailing
  180. // NULL in the key string during expansion.
  181. ckey := append(key, 0)
  182. c, err := blowfish.NewSaltedCipher(ckey, csalt)
  183. if err != nil {
  184. return nil, err
  185. }
  186. var i, rounds uint64
  187. rounds = 1 << cost
  188. for i = 0; i < rounds; i++ {
  189. blowfish.ExpandKey(ckey, c)
  190. blowfish.ExpandKey(csalt, c)
  191. }
  192. return c, nil
  193. }
  194. func (p *hashed) Hash() []byte {
  195. arr := make([]byte, 60)
  196. arr[0] = '$'
  197. arr[1] = p.major
  198. n := 2
  199. if p.minor != 0 {
  200. arr[2] = p.minor
  201. n = 3
  202. }
  203. arr[n] = '$'
  204. n += 1
  205. copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost)))
  206. n += 2
  207. arr[n] = '$'
  208. n += 1
  209. copy(arr[n:], p.salt)
  210. n += encodedSaltSize
  211. copy(arr[n:], p.hash)
  212. n += encodedHashSize
  213. return arr[:n]
  214. }
  215. func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
  216. if sbytes[0] != '$' {
  217. return -1, InvalidHashPrefixError(sbytes[0])
  218. }
  219. if sbytes[1] > majorVersion {
  220. return -1, HashVersionTooNewError(sbytes[1])
  221. }
  222. p.major = sbytes[1]
  223. n := 3
  224. if sbytes[2] != '$' {
  225. p.minor = sbytes[2]
  226. n++
  227. }
  228. return n, nil
  229. }
  230. // sbytes should begin where decodeVersion left off.
  231. func (p *hashed) decodeCost(sbytes []byte) (int, error) {
  232. cost, err := strconv.Atoi(string(sbytes[0:2]))
  233. if err != nil {
  234. return -1, err
  235. }
  236. err = checkCost(cost)
  237. if err != nil {
  238. return -1, err
  239. }
  240. p.cost = cost
  241. return 3, nil
  242. }
  243. func (p *hashed) String() string {
  244. return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor)
  245. }
  246. func checkCost(cost int) error {
  247. if cost < MinCost || cost > MaxCost {
  248. return InvalidCostError(cost)
  249. }
  250. return nil
  251. }