1
// Copyright 2011 The Go Authors. All rights reserved.
2
// Use of this source code is governed by a BSD-style
3
// license that can be found in the LICENSE file.
5
// Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
6
// algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
7
package bcrypt // import "golang.org/x/crypto/bcrypt"
9
// The code is a port of Provos and Mazières's C implementation.
18
"golang.org/x/crypto/blowfish"
22
MinCost int = 4 // the minimum allowable cost as passed in to GenerateFromPassword
23
MaxCost int = 31 // the maximum allowable cost as passed in to GenerateFromPassword
24
DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword
27
// The error returned from CompareHashAndPassword when a password and hash do
29
var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password")
31
// The error returned from CompareHashAndPassword when a hash is too short to
33
var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password")
35
// The error returned from CompareHashAndPassword when a hash was created with
36
// a bcrypt algorithm newer than this implementation.
37
type HashVersionTooNewError byte
39
func (hv HashVersionTooNewError) Error() string {
40
return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion)
43
// The error returned from CompareHashAndPassword when a hash starts with something other than '$'
44
type InvalidHashPrefixError byte
46
func (ih InvalidHashPrefixError) Error() string {
47
return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih))
50
type InvalidCostError int
52
func (ic InvalidCostError) Error() string {
53
return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), MinCost, MaxCost)
60
maxCryptedHashSize = 23
66
// magicCipherData is an IV for the 64 Blowfish encryption calls in
67
// bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes.
68
var magicCipherData = []byte{
69
0x4f, 0x72, 0x70, 0x68,
70
0x65, 0x61, 0x6e, 0x42,
71
0x65, 0x68, 0x6f, 0x6c,
72
0x64, 0x65, 0x72, 0x53,
73
0x63, 0x72, 0x79, 0x44,
74
0x6f, 0x75, 0x62, 0x74,
80
cost int // allowed range is MinCost to MaxCost
85
// ErrPasswordTooLong is returned when the password passed to
86
// GenerateFromPassword is too long (i.e. > 72 bytes).
87
var ErrPasswordTooLong = errors.New("bcrypt: password length exceeds 72 bytes")
89
// GenerateFromPassword returns the bcrypt hash of the password at the given
90
// cost. If the cost given is less than MinCost, the cost will be set to
91
// DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
92
// to compare the returned hashed password with its cleartext version.
93
// GenerateFromPassword does not accept passwords longer than 72 bytes, which
94
// is the longest password bcrypt will operate on.
95
func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
96
if len(password) > 72 {
97
return nil, ErrPasswordTooLong
99
p, err := newFromPassword(password, cost)
106
// CompareHashAndPassword compares a bcrypt hashed password with its possible
107
// plaintext equivalent. Returns nil on success, or an error on failure.
108
func CompareHashAndPassword(hashedPassword, password []byte) error {
109
p, err := newFromHash(hashedPassword)
114
otherHash, err := bcrypt(password, p.cost, p.salt)
119
otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor}
120
if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 {
124
return ErrMismatchedHashAndPassword
127
// Cost returns the hashing cost used to create the given hashed
128
// password. When, in the future, the hashing cost of a password system needs
129
// to be increased in order to adjust for greater computational power, this
130
// function allows one to establish which passwords need to be updated.
131
func Cost(hashedPassword []byte) (int, error) {
132
p, err := newFromHash(hashedPassword)
139
func newFromPassword(password []byte, cost int) (*hashed, error) {
144
p.major = majorVersion
145
p.minor = minorVersion
147
err := checkCost(cost)
153
unencodedSalt := make([]byte, maxSaltSize)
154
_, err = io.ReadFull(rand.Reader, unencodedSalt)
159
p.salt = base64Encode(unencodedSalt)
160
hash, err := bcrypt(password, p.cost, p.salt)
168
func newFromHash(hashedSecret []byte) (*hashed, error) {
169
if len(hashedSecret) < minHashSize {
170
return nil, ErrHashTooShort
173
n, err := p.decodeVersion(hashedSecret)
177
hashedSecret = hashedSecret[n:]
178
n, err = p.decodeCost(hashedSecret)
182
hashedSecret = hashedSecret[n:]
184
// The "+2" is here because we'll have to append at most 2 '=' to the salt
185
// when base64 decoding it in expensiveBlowfishSetup().
186
p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2)
187
copy(p.salt, hashedSecret[:encodedSaltSize])
189
hashedSecret = hashedSecret[encodedSaltSize:]
190
p.hash = make([]byte, len(hashedSecret))
191
copy(p.hash, hashedSecret)
196
func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) {
197
cipherData := make([]byte, len(magicCipherData))
198
copy(cipherData, magicCipherData)
200
c, err := expensiveBlowfishSetup(password, uint32(cost), salt)
205
for i := 0; i < 24; i += 8 {
206
for j := 0; j < 64; j++ {
207
c.Encrypt(cipherData[i:i+8], cipherData[i:i+8])
211
// Bug compatibility with C bcrypt implementations. We only encode 23 of
212
// the 24 bytes encrypted.
213
hsh := base64Encode(cipherData[:maxCryptedHashSize])
217
func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) {
218
csalt, err := base64Decode(salt)
223
// Bug compatibility with C bcrypt implementations. They use the trailing
224
// NULL in the key string during expansion.
225
// We copy the key to prevent changing the underlying array.
226
ckey := append(key[:len(key):len(key)], 0)
228
c, err := blowfish.NewSaltedCipher(ckey, csalt)
235
for i = 0; i < rounds; i++ {
236
blowfish.ExpandKey(ckey, c)
237
blowfish.ExpandKey(csalt, c)
243
func (p *hashed) Hash() []byte {
244
arr := make([]byte, 60)
254
copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost)))
258
copy(arr[n:], p.salt)
260
copy(arr[n:], p.hash)
265
func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
266
if sbytes[0] != '$' {
267
return -1, InvalidHashPrefixError(sbytes[0])
269
if sbytes[1] > majorVersion {
270
return -1, HashVersionTooNewError(sbytes[1])
274
if sbytes[2] != '$' {
281
// sbytes should begin where decodeVersion left off.
282
func (p *hashed) decodeCost(sbytes []byte) (int, error) {
283
cost, err := strconv.Atoi(string(sbytes[0:2]))
287
err = checkCost(cost)
295
func (p *hashed) String() string {
296
return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor)
299
func checkCost(cost int) error {
300
if cost < MinCost || cost > MaxCost {
301
return InvalidCostError(cost)