github.com/olivere/camlistore@v0.0.0-20140121221811-1b7ac2da0199/third_party/code.google.com/p/go.crypto/bcrypt/bcrypt.go (about)

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
     6  // algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
     7  package bcrypt
     8  
     9  // The code is a port of Provos and Mazières's C implementation. 
    10  import (
    11  	"camlistore.org/third_party/code.google.com/p/go.crypto/blowfish"
    12  	"crypto/rand"
    13  	"crypto/subtle"
    14  	"errors"
    15  	"fmt"
    16  	"io"
    17  	"strconv"
    18  )
    19  
    20  const (
    21  	MinCost     int = 4  // the minimum allowable cost as passed in to GenerateFromPassword
    22  	MaxCost     int = 31 // the maximum allowable cost as passed in to GenerateFromPassword
    23  	DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword
    24  )
    25  
    26  // The error returned from CompareHashAndPassword when a password and hash do
    27  // not match.
    28  var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password")
    29  
    30  // The error returned from CompareHashAndPassword when a hash is too short to
    31  // be a bcrypt hash.
    32  var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password")
    33  
    34  // The error returned from CompareHashAndPassword when a hash was created with
    35  // a bcrypt algorithm newer than this implementation.
    36  type HashVersionTooNewError byte
    37  
    38  func (hv HashVersionTooNewError) Error() string {
    39  	return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion)
    40  }
    41  
    42  // The error returned from CompareHashAndPassword when a hash starts with something other than '$'
    43  type InvalidHashPrefixError byte
    44  
    45  func (ih InvalidHashPrefixError) Error() string {
    46  	return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih))
    47  }
    48  
    49  type InvalidCostError int
    50  
    51  func (ic InvalidCostError) Error() string {
    52  	return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), int(MinCost), int(MaxCost))
    53  }
    54  
    55  const (
    56  	majorVersion       = '2'
    57  	minorVersion       = 'a'
    58  	maxSaltSize        = 16
    59  	maxCryptedHashSize = 23
    60  	encodedSaltSize    = 22
    61  	encodedHashSize    = 31
    62  	minHashSize        = 59
    63  )
    64  
    65  // magicCipherData is an IV for the 64 Blowfish encryption calls in
    66  // bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes.
    67  var magicCipherData = []byte{
    68  	0x4f, 0x72, 0x70, 0x68,
    69  	0x65, 0x61, 0x6e, 0x42,
    70  	0x65, 0x68, 0x6f, 0x6c,
    71  	0x64, 0x65, 0x72, 0x53,
    72  	0x63, 0x72, 0x79, 0x44,
    73  	0x6f, 0x75, 0x62, 0x74,
    74  }
    75  
    76  type hashed struct {
    77  	hash  []byte
    78  	salt  []byte
    79  	cost  uint32 // allowed range is MinCost to MaxCost
    80  	major byte
    81  	minor byte
    82  }
    83  
    84  // GenerateFromPassword returns the bcrypt hash of the password at the given
    85  // cost. If the cost given is less than MinCost, the cost will be set to
    86  // MinCost, instead. Use CompareHashAndPassword, as defined in this package,
    87  // to compare the returned hashed password with its cleartext version.
    88  func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
    89  	p, err := newFromPassword(password, cost)
    90  	if err != nil {
    91  		return nil, err
    92  	}
    93  	return p.Hash(), nil
    94  }
    95  
    96  // CompareHashAndPassword compares a bcrypt hashed password with its possible
    97  // plaintext equivalent. Note: Using bytes.Equal for this job is
    98  // insecure. Returns nil on success, or an error on failure.
    99  func CompareHashAndPassword(hashedPassword, password []byte) error {
   100  	p, err := newFromHash(hashedPassword)
   101  	if err != nil {
   102  		return err
   103  	}
   104  
   105  	otherHash, err := bcrypt(password, p.cost, p.salt)
   106  	if err != nil {
   107  		return err
   108  	}
   109  
   110  	otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor}
   111  	if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 {
   112  		return nil
   113  	}
   114  
   115  	return ErrMismatchedHashAndPassword
   116  }
   117  
   118  func newFromPassword(password []byte, cost int) (*hashed, error) {
   119  	if cost < MinCost {
   120  		cost = DefaultCost
   121  	}
   122  	p := new(hashed)
   123  	p.major = majorVersion
   124  	p.minor = minorVersion
   125  
   126  	err := checkCost(cost)
   127  	if err != nil {
   128  		return nil, err
   129  	}
   130  	p.cost = uint32(cost)
   131  
   132  	unencodedSalt := make([]byte, maxSaltSize)
   133  	_, err = io.ReadFull(rand.Reader, unencodedSalt)
   134  	if err != nil {
   135  		return nil, err
   136  	}
   137  
   138  	p.salt = base64Encode(unencodedSalt)
   139  	hash, err := bcrypt(password, p.cost, p.salt)
   140  	if err != nil {
   141  		return nil, err
   142  	}
   143  	p.hash = hash
   144  	return p, err
   145  }
   146  
   147  func newFromHash(hashedSecret []byte) (*hashed, error) {
   148  	if len(hashedSecret) < minHashSize {
   149  		return nil, ErrHashTooShort
   150  	}
   151  	p := new(hashed)
   152  	n, err := p.decodeVersion(hashedSecret)
   153  	if err != nil {
   154  		return nil, err
   155  	}
   156  	hashedSecret = hashedSecret[n:]
   157  	n, err = p.decodeCost(hashedSecret)
   158  	if err != nil {
   159  		return nil, err
   160  	}
   161  	hashedSecret = hashedSecret[n:]
   162  
   163  	// The "+2" is here because we'll have to append at most 2 '=' to the salt
   164  	// when base64 decoding it in expensiveBlowfishSetup().
   165  	p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2)
   166  	copy(p.salt, hashedSecret[:encodedSaltSize])
   167  
   168  	hashedSecret = hashedSecret[encodedSaltSize:]
   169  	p.hash = make([]byte, len(hashedSecret))
   170  	copy(p.hash, hashedSecret)
   171  
   172  	return p, nil
   173  }
   174  
   175  func bcrypt(password []byte, cost uint32, salt []byte) ([]byte, error) {
   176  	cipherData := make([]byte, len(magicCipherData))
   177  	copy(cipherData, magicCipherData)
   178  
   179  	c, err := expensiveBlowfishSetup(password, cost, salt)
   180  	if err != nil {
   181  		return nil, err
   182  	}
   183  
   184  	for i := 0; i < 24; i += 8 {
   185  		for j := 0; j < 64; j++ {
   186  			c.Encrypt(cipherData[i:i+8], cipherData[i:i+8])
   187  		}
   188  	}
   189  
   190  	// Bug compatibility with C bcrypt implementations. We only encode 23 of
   191  	// the 24 bytes encrypted.
   192  	hsh := base64Encode(cipherData[:maxCryptedHashSize])
   193  	return hsh, nil
   194  }
   195  
   196  func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) {
   197  
   198  	csalt, err := base64Decode(salt)
   199  	if err != nil {
   200  		return nil, err
   201  	}
   202  
   203  	// Bug compatibility with C bcrypt implementations. They use the trailing
   204  	// NULL in the key string during expansion.
   205  	ckey := append(key, 0)
   206  
   207  	c, err := blowfish.NewSaltedCipher(ckey, csalt)
   208  	if err != nil {
   209  		return nil, err
   210  	}
   211  
   212  	rounds := 1 << cost
   213  	for i := 0; i < rounds; i++ {
   214  		blowfish.ExpandKey(ckey, c)
   215  		blowfish.ExpandKey(csalt, c)
   216  	}
   217  
   218  	return c, nil
   219  }
   220  
   221  func (p *hashed) Hash() []byte {
   222  	arr := make([]byte, 60)
   223  	arr[0] = '$'
   224  	arr[1] = p.major
   225  	n := 2
   226  	if p.minor != 0 {
   227  		arr[2] = p.minor
   228  		n = 3
   229  	}
   230  	arr[n] = '$'
   231  	n += 1
   232  	copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost)))
   233  	n += 2
   234  	arr[n] = '$'
   235  	n += 1
   236  	copy(arr[n:], p.salt)
   237  	n += encodedSaltSize
   238  	copy(arr[n:], p.hash)
   239  	n += encodedHashSize
   240  	return arr[:n]
   241  }
   242  
   243  func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
   244  	if sbytes[0] != '$' {
   245  		return -1, InvalidHashPrefixError(sbytes[0])
   246  	}
   247  	if sbytes[1] > majorVersion {
   248  		return -1, HashVersionTooNewError(sbytes[1])
   249  	}
   250  	p.major = sbytes[1]
   251  	n := 3
   252  	if sbytes[2] != '$' {
   253  		p.minor = sbytes[2]
   254  		n++
   255  	}
   256  	return n, nil
   257  }
   258  
   259  // sbytes should begin where decodeVersion left off.
   260  func (p *hashed) decodeCost(sbytes []byte) (int, error) {
   261  	cost, err := strconv.Atoi(string(sbytes[0:2]))
   262  	if err != nil {
   263  		return -1, err
   264  	}
   265  	err = checkCost(cost)
   266  	if err != nil {
   267  		return -1, err
   268  	}
   269  	p.cost = uint32(cost)
   270  	return 3, nil
   271  }
   272  
   273  func (p *hashed) String() string {
   274  	return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor)
   275  }
   276  
   277  func checkCost(cost int) error {
   278  	if cost < MinCost || cost > MaxCost {
   279  		return InvalidCostError(cost)
   280  	}
   281  	return nil
   282  }