1 /**
2 * Bcrypt Password Hashing
3 * 
4 * Copyright:
5 * (C) 2011 Jack Lloyd
6 * (C) 2014-2015 Etienne Cimon
7 *
8 * License:
9 * Botan is released under the Simplified BSD License (see LICENSE.md)
10 */
11 module botan.passhash.bcrypt;
12 
13 import botan.constants;
14 static if (BOTAN_HAS_BCRYPT && BOTAN_HAS_BLOWFISH):
15 import botan.rng.rng;
16 import botan.utils.loadstor;
17 import botan.block.blowfish;
18 import botan.codec.base64;
19 import botan.utils.types;
20 import botan.utils.mem_ops;
21 import std.string : toStringz;
22 import std.conv : to;
23 
24 /**
25 * Create a password hash using Bcrypt
26 * Params:
27 *  password = the password
28 *  rng = a random number generator
29 *  work_factor = how much work to do to slow down guessing attacks
30 *
31 * @see http://www.usenix.org/events/usenix99/provos/provos_html/
32 */
33 string generateBcrypt(in string password,
34                       RandomNumberGenerator rng,
35                       ushort work_factor = 10)
36 {
37     return makeBcrypt(password, unlock(rng.randomVec(16)), work_factor);
38 }
39 
40 /**
41 * Check a previously created password hash
42 * Params:
43 *  password = the password to check against
44 *  hash = the stored hash to check against
45 */
46 bool checkBcrypt(in string password, in string hash)
47 {
48     if (hash.length != 60 ||
49         hash[0] != '$' || hash[1] != '2' || hash[2] != 'a' ||
50         hash[3] != '$' || hash[6] != '$')
51     {
52         return false;
53     }
54     const ushort workfactor = cast(ushort) to!uint(hash[4 .. 6]);
55 
56     Vector!ubyte salt = bcryptBase64Decode(hash[7 .. 29].dup);
57     const string compare = makeBcrypt(password, salt, workfactor);
58 	// constant time memory comparisons on hashes, inefficient but necessary for timing attacks
59 	bool valid = true;
60 	if (compare.length != hash.length)
61 		valid = false;
62 	else {
63 		foreach (i, immutable(char) c; hash) {
64 			foreach (j, immutable(char) c2; compare) {
65 				if (i != j) continue;
66 				if (c != c2) {
67 					valid = false;
68 				}
69 				break;
70 			}
71 		}
72 	}
73     return valid;
74 }
75 
76 
77 private:
78 
79 string bcryptBase64Encode(const(ubyte)* input, size_t length)
80 {
81     // Bcrypt uses a non-standard base64 alphabet
82     __gshared immutable ubyte[256] OPENBSD_BASE64_SUB = [
83         0x00, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
84         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
85         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
86         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x38, 0x80, 0x80, 0x80, 0x39,
87         0x79, 0x7A, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x80, 0x80,
88         0x80, 0x80, 0x80, 0x80, 0x80, 0x2E, 0x2F, 0x41, 0x42, 0x43, 0x44, 0x45,
89         0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51,
90         0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x80, 0x80, 0x80, 0x80, 0x80,
91         0x80, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69,
92         0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
93         0x76, 0x77, 0x78, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
94         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
95         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
96         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
97         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
98         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
99         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
100         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
101         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
102         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
103         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
104         0x80, 0x80, 0x80, 0x80
105     ];
106     
107     char[] b64 = base64Encode(input, length).dup;
108 
109     while (b64.length && b64[b64.length-1] == '=') {
110         b64 = b64[0 .. $-1];
111 
112     }
113     
114     foreach (size_t i; 0 .. b64.length)
115         b64[i] = OPENBSD_BASE64_SUB[cast(ubyte) b64[i]];
116     
117     return cast(string) b64;
118 }
119 
120 Vector!ubyte bcryptBase64Decode(char[] input)
121 {
122     __gshared immutable ubyte[256] OPENBSD_BASE64_SUB = [
123         0x00, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
124         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
125         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
126         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x41, 0x42,
127         0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x2B, 0x2F, 0x80, 0x80,
128         0x80, 0x80, 0x80, 0x80, 0x80, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49,
129         0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55,
130         0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x80, 0x80, 0x80, 0x80, 0x80,
131         0x80, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D,
132         0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79,
133         0x7A, 0x30, 0x31, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
134         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
135         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
136         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
137         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
138         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
139         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
140         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
141         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
142         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
143         0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
144         0x80, 0x80, 0x80, 0x80
145     ];
146     
147     foreach (size_t i; 0 .. input.length)
148         input[i] = OPENBSD_BASE64_SUB[cast(ubyte)(input[i])];
149     return unlock(base64Decode(cast(string)input));
150 }
151 
152 string makeBcrypt()(in string pass,
153                     auto const ref Vector!ubyte salt,
154                     ushort work_factor)
155 {
156     __gshared immutable ubyte[24] magic = [
157         0x4F, 0x72, 0x70, 0x68, 0x65, 0x61, 0x6E, 0x42,
158         0x65, 0x68, 0x6F, 0x6C, 0x64, 0x65, 0x72, 0x53,
159         0x63, 0x72, 0x79, 0x44, 0x6F, 0x75, 0x62, 0x74
160     ];
161     
162     Vector!ubyte ctext = Vector!ubyte(magic.ptr[0 .. magic.length]);
163     
164     Unique!Blowfish blowfish = new Blowfish;
165     
166     // Include the trailing NULL ubyte
167     blowfish.eksKeySchedule(cast(const(ubyte)*) pass.toStringz, pass.length + 1, salt.ptr[0 .. 16], work_factor);
168     
169     foreach (size_t i; 0 .. 64)  {
170         blowfish.encryptN(ctext.ptr, ctext.ptr, 3);
171     }
172     
173     string salt_b64 = bcryptBase64Encode(salt.ptr, salt.length);
174     
175     string work_factor_str = to!string(work_factor);
176     if (work_factor_str.length == 1)
177         work_factor_str = "0" ~ work_factor_str;
178     
179     return "$2a$" ~ work_factor_str ~ "$" ~ salt_b64[0 .. 22] ~ bcryptBase64Encode(ctext.ptr, ctext.length - 1);
180 }
181 
182 
183 static if (BOTAN_TEST):
184 import botan.test;
185 import botan.rng.auto_rng;
186 
187 static if (BOTAN_HAS_TESTS && !SKIP_BCRYPT_TEST) unittest
188 {
189     import botan.libstate.libstate;
190     globalState();
191     logDebug("Testing bcrypt.d ...");
192     size_t fails = 0;
193     
194     // Generated by jBCrypt 0.3
195     if (!checkBcrypt("abc", "$2a$05$DfPyLs.G6.To9fXEFgUL1O6HpYw3jIXgPcl/L3Qt3jESuWmhxtmpS"))
196     {
197         logTrace("Bcrypt test 1 failed");
198         fails++;
199     }
200     
201     // http://www.openwall.com/lists/john-dev/2011/06/19/2
202     if (!checkBcrypt("\xA3", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq"))
203     {
204         logTrace("Bcrypt test 2 failed");
205         fails++;
206     }
207     
208     Unique!AutoSeededRNG rng = new AutoSeededRNG;
209     
210     for(ushort level = 1; level != 5; ++level)
211     {
212         const string input = "some test passphrase 123";
213         const string gen_hash = generateBcrypt(input, *rng, level);
214         
215         if (!checkBcrypt(input, gen_hash))
216         {
217             logTrace("Gen and check for bcrypt failed: " ~ gen_hash ~ " not valid");
218             ++fails;
219         }
220     }
221     
222     testReport("Bcrypt", 6, fails);
223 }