Index: bcrypt/bcrypt.go |
=================================================================== |
new file mode 100644 |
--- /dev/null |
+++ b/bcrypt/bcrypt.go |
@@ -0,0 +1,282 @@ |
+// Copyright 2011 The Go Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style |
+// license that can be found in the LICENSE file. |
+ |
+// Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing |
+// algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf |
+package bcrypt |
+ |
+// The code is a port of Provos and Mazières's C implementation. |
+import ( |
+ "code.google.com/p/go.crypto/blowfish" |
+ "crypto/rand" |
+ "crypto/subtle" |
+ "errors" |
+ "fmt" |
+ "io" |
+ "strconv" |
+) |
+ |
+const ( |
+ MinCost int = 4 // the minimum allowable cost as passed in to GenerateFromPassword |
+ MaxCost int = 31 // the maximum allowable cost as passed in to GenerateFromPassword |
+ DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword |
+) |
+ |
+// The error returned from CompareHashAndPassword when a password and hash do |
+// not match. |
+var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password") |
+ |
+// The error returned from CompareHashAndPassword when a hash is too short to |
+// be a bcrypt hash. |
+var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password") |
+ |
+// The error returned from CompareHashAndPassword when a hash was created with |
+// a bcrypt algorithm newer than this implementation. |
+type HashVersionTooNewError byte |
+ |
+func (hv HashVersionTooNewError) Error() string { |
+ return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion) |
+} |
+ |
+// The error returned from CompareHashAndPassword when a hash starts with something other than '$' |
+type InvalidHashPrefixError byte |
+ |
+func (ih InvalidHashPrefixError) Error() string { |
+ return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih)) |
+} |
+ |
+type InvalidCostError int |
+ |
+func (ic InvalidCostError) Error() string { |
+ return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), int(MinCost), int(MaxCost)) |
+} |
+ |
+const ( |
+ majorVersion = '2' |
+ minorVersion = 'a' |
+ maxSaltSize = 16 |
+ maxCryptedHashSize = 23 |
+ encodedSaltSize = 22 |
+ encodedHashSize = 31 |
+ minHashSize = 59 |
+) |
+ |
+// magicCipherData is an IV for the 64 Blowfish encryption calls in |
+// bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes. |
+var magicCipherData = []byte{ |
+ 0x4f, 0x72, 0x70, 0x68, |
+ 0x65, 0x61, 0x6e, 0x42, |
+ 0x65, 0x68, 0x6f, 0x6c, |
+ 0x64, 0x65, 0x72, 0x53, |
+ 0x63, 0x72, 0x79, 0x44, |
+ 0x6f, 0x75, 0x62, 0x74, |
+} |
+ |
+type hashed struct { |
+ hash []byte |
+ salt []byte |
+ cost uint32 // allowed range is MinCost to MaxCost |
+ major byte |
+ minor byte |
+} |
+ |
+// GenerateFromPassword returns the bcrypt hash of the password at the given |
+// cost. If the cost given is less than MinCost, the cost will be set to |
+// MinCost, instead. Use CompareHashAndPassword, as defined in this package, |
+// to compare the returned hashed password with its cleartext version. |
+func GenerateFromPassword(password []byte, cost int) ([]byte, error) { |
+ p, err := newFromPassword(password, cost) |
+ if err != nil { |
+ return nil, err |
+ } |
+ return p.Hash(), nil |
+} |
+ |
+// CompareHashAndPassword compares a bcrypt hashed password with its possible |
+// plaintext equivalent. Note: Using bytes.Equal for this job is |
+// insecure. Returns nil on success, or an error on failure. |
+func CompareHashAndPassword(hashedPassword, password []byte) error { |
+ p, err := newFromHash(hashedPassword) |
+ if err != nil { |
+ return err |
+ } |
+ |
+ otherHash, err := bcrypt(password, p.cost, p.salt) |
+ if err != nil { |
+ return err |
+ } |
+ |
+ otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor} |
+ if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 { |
+ return nil |
+ } |
+ |
+ return ErrMismatchedHashAndPassword |
+} |
+ |
+func newFromPassword(password []byte, cost int) (*hashed, error) { |
+ if cost < MinCost { |
+ cost = DefaultCost |
+ } |
+ p := new(hashed) |
+ p.major = majorVersion |
+ p.minor = minorVersion |
+ |
+ err := checkCost(cost) |
+ if err != nil { |
+ return nil, err |
+ } |
+ p.cost = uint32(cost) |
+ |
+ unencodedSalt := make([]byte, maxSaltSize) |
+ _, err = io.ReadFull(rand.Reader, unencodedSalt) |
+ if err != nil { |
+ return nil, err |
+ } |
+ |
+ p.salt = base64Encode(unencodedSalt) |
+ hash, err := bcrypt(password, p.cost, p.salt) |
+ if err != nil { |
+ return nil, err |
+ } |
+ p.hash = hash |
+ return p, err |
+} |
+ |
+func newFromHash(hashedSecret []byte) (*hashed, error) { |
+ if len(hashedSecret) < minHashSize { |
+ return nil, ErrHashTooShort |
+ } |
+ p := new(hashed) |
+ n, err := p.decodeVersion(hashedSecret) |
+ if err != nil { |
+ return nil, err |
+ } |
+ hashedSecret = hashedSecret[n:] |
+ n, err = p.decodeCost(hashedSecret) |
+ if err != nil { |
+ return nil, err |
+ } |
+ hashedSecret = hashedSecret[n:] |
+ |
+ // The "+2" is here because we'll have to append at most 2 '=' to the salt |
+ // when base64 decoding it in expensiveBlowfishSetup(). |
+ p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2) |
+ copy(p.salt, hashedSecret[:encodedSaltSize]) |
+ |
+ hashedSecret = hashedSecret[encodedSaltSize:] |
+ p.hash = make([]byte, len(hashedSecret)) |
+ copy(p.hash, hashedSecret) |
+ |
+ return p, nil |
+} |
+ |
+func bcrypt(password []byte, cost uint32, salt []byte) ([]byte, error) { |
+ cipherData := make([]byte, len(magicCipherData)) |
+ copy(cipherData, magicCipherData) |
+ |
+ c, err := expensiveBlowfishSetup(password, cost, salt) |
+ if err != nil { |
+ return nil, err |
+ } |
+ |
+ for i := 0; i < 24; i += 8 { |
+ for j := 0; j < 64; j++ { |
+ c.Encrypt(cipherData[i:i+8], cipherData[i:i+8]) |
+ } |
+ } |
+ |
+ // Bug compatibility with C bcrypt implementations. We only encode 23 of |
+ // the 24 bytes encrypted. |
+ hsh := base64Encode(cipherData[:maxCryptedHashSize]) |
+ return hsh, nil |
+} |
+ |
+func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) { |
+ |
+ csalt, err := base64Decode(salt) |
+ if err != nil { |
+ return nil, err |
+ } |
+ |
+ // Bug compatibility with C bcrypt implementations. They use the trailing |
+ // NULL in the key string during expansion. |
+ ckey := append(key, 0) |
+ |
+ c, err := blowfish.NewSaltedCipher(ckey, csalt) |
+ if err != nil { |
+ return nil, err |
+ } |
+ |
+ rounds := 1 << cost |
+ for i := 0; i < rounds; i++ { |
+ blowfish.ExpandKey(ckey, c) |
+ blowfish.ExpandKey(csalt, c) |
+ } |
+ |
+ return c, nil |
+} |
+ |
+func (p *hashed) Hash() []byte { |
+ arr := make([]byte, 60) |
+ arr[0] = '$' |
+ arr[1] = p.major |
+ n := 2 |
+ if p.minor != 0 { |
+ arr[2] = p.minor |
+ n = 3 |
+ } |
+ arr[n] = '$' |
+ n += 1 |
+ copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost))) |
+ n += 2 |
+ arr[n] = '$' |
+ n += 1 |
+ copy(arr[n:], p.salt) |
+ n += encodedSaltSize |
+ copy(arr[n:], p.hash) |
+ n += encodedHashSize |
+ return arr[:n] |
+} |
+ |
+func (p *hashed) decodeVersion(sbytes []byte) (int, error) { |
+ if sbytes[0] != '$' { |
+ return -1, InvalidHashPrefixError(sbytes[0]) |
+ } |
+ if sbytes[1] > majorVersion { |
+ return -1, HashVersionTooNewError(sbytes[1]) |
+ } |
+ p.major = sbytes[1] |
+ n := 3 |
+ if sbytes[2] != '$' { |
+ p.minor = sbytes[2] |
+ n++ |
+ } |
+ return n, nil |
+} |
+ |
+// sbytes should begin where decodeVersion left off. |
+func (p *hashed) decodeCost(sbytes []byte) (int, error) { |
+ cost, err := strconv.Atoi(string(sbytes[0:2])) |
+ if err != nil { |
+ return -1, err |
+ } |
+ err = checkCost(cost) |
+ if err != nil { |
+ return -1, err |
+ } |
+ p.cost = uint32(cost) |
+ return 3, nil |
+} |
+ |
+func (p *hashed) String() string { |
+ return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor) |
+} |
+ |
+func checkCost(cost int) error { |
+ if cost < MinCost || cost > MaxCost { |
+ return InvalidCostError(cost) |
+ } |
+ return nil |
+} |