1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
6 // algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
7 package bcrypt // import "golang.org/x/crypto/bcrypt"
9 // The code is a port of Provos and Mazières's C implementation.
18 "golang.org/x/crypto/blowfish"
22 MinCost int = 4 // the minimum allowable cost as passed in to GenerateFromPassword
23 MaxCost int = 31 // the maximum allowable cost as passed in to GenerateFromPassword
24 DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword
27 // The error returned from CompareHashAndPassword when a password and hash do
29 var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password")
31 // The error returned from CompareHashAndPassword when a hash is too short to
33 var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password")
35 // The error returned from CompareHashAndPassword when a hash was created with
36 // a bcrypt algorithm newer than this implementation.
37 type HashVersionTooNewError byte
39 func (hv HashVersionTooNewError) Error() string {
40 return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion)
43 // The error returned from CompareHashAndPassword when a hash starts with something other than '$'
44 type InvalidHashPrefixError byte
46 func (ih InvalidHashPrefixError) Error() string {
47 return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih))
50 type InvalidCostError int
52 func (ic InvalidCostError) Error() string {
53 return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), int(MinCost), int(MaxCost))
60 maxCryptedHashSize = 23
66 // magicCipherData is an IV for the 64 Blowfish encryption calls in
67 // bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes.
68 var magicCipherData = []byte{
69 0x4f, 0x72, 0x70, 0x68,
70 0x65, 0x61, 0x6e, 0x42,
71 0x65, 0x68, 0x6f, 0x6c,
72 0x64, 0x65, 0x72, 0x53,
73 0x63, 0x72, 0x79, 0x44,
74 0x6f, 0x75, 0x62, 0x74,
80 cost int // allowed range is MinCost to MaxCost
85 // GenerateFromPassword returns the bcrypt hash of the password at the given
86 // cost. If the cost given is less than MinCost, the cost will be set to
87 // DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
88 // to compare the returned hashed password with its cleartext version.
89 func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
90 p, err := newFromPassword(password, cost)
97 // CompareHashAndPassword compares a bcrypt hashed password with its possible
98 // plaintext equivalent. Returns nil on success, or an error on failure.
99 func CompareHashAndPassword(hashedPassword, password []byte) error {
100 p, err := newFromHash(hashedPassword)
105 otherHash, err := bcrypt(password, p.cost, p.salt)
110 otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor}
111 if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 {
115 return ErrMismatchedHashAndPassword
118 // Cost returns the hashing cost used to create the given hashed
119 // password. When, in the future, the hashing cost of a password system needs
120 // to be increased in order to adjust for greater computational power, this
121 // function allows one to establish which passwords need to be updated.
122 func Cost(hashedPassword []byte) (int, error) {
123 p, err := newFromHash(hashedPassword)
130 func newFromPassword(password []byte, cost int) (*hashed, error) {
135 p.major = majorVersion
136 p.minor = minorVersion
138 err := checkCost(cost)
144 unencodedSalt := make([]byte, maxSaltSize)
145 _, err = io.ReadFull(rand.Reader, unencodedSalt)
150 p.salt = base64Encode(unencodedSalt)
151 hash, err := bcrypt(password, p.cost, p.salt)
159 func newFromHash(hashedSecret []byte) (*hashed, error) {
160 if len(hashedSecret) < minHashSize {
161 return nil, ErrHashTooShort
164 n, err := p.decodeVersion(hashedSecret)
168 hashedSecret = hashedSecret[n:]
169 n, err = p.decodeCost(hashedSecret)
173 hashedSecret = hashedSecret[n:]
175 // The "+2" is here because we'll have to append at most 2 '=' to the salt
176 // when base64 decoding it in expensiveBlowfishSetup().
177 p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2)
178 copy(p.salt, hashedSecret[:encodedSaltSize])
180 hashedSecret = hashedSecret[encodedSaltSize:]
181 p.hash = make([]byte, len(hashedSecret))
182 copy(p.hash, hashedSecret)
187 func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) {
188 cipherData := make([]byte, len(magicCipherData))
189 copy(cipherData, magicCipherData)
191 c, err := expensiveBlowfishSetup(password, uint32(cost), salt)
196 for i := 0; i < 24; i += 8 {
197 for j := 0; j < 64; j++ {
198 c.Encrypt(cipherData[i:i+8], cipherData[i:i+8])
202 // Bug compatibility with C bcrypt implementations. We only encode 23 of
203 // the 24 bytes encrypted.
204 hsh := base64Encode(cipherData[:maxCryptedHashSize])
208 func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) {
209 csalt, err := base64Decode(salt)
214 // Bug compatibility with C bcrypt implementations. They use the trailing
215 // NULL in the key string during expansion.
216 // We copy the key to prevent changing the underlying array.
217 ckey := append(key[:len(key):len(key)], 0)
219 c, err := blowfish.NewSaltedCipher(ckey, csalt)
226 for i = 0; i < rounds; i++ {
227 blowfish.ExpandKey(ckey, c)
228 blowfish.ExpandKey(csalt, c)
234 func (p *hashed) Hash() []byte {
235 arr := make([]byte, 60)
245 copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost)))
249 copy(arr[n:], p.salt)
251 copy(arr[n:], p.hash)
256 func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
257 if sbytes[0] != '$' {
258 return -1, InvalidHashPrefixError(sbytes[0])
260 if sbytes[1] > majorVersion {
261 return -1, HashVersionTooNewError(sbytes[1])
265 if sbytes[2] != '$' {
272 // sbytes should begin where decodeVersion left off.
273 func (p *hashed) decodeCost(sbytes []byte) (int, error) {
274 cost, err := strconv.Atoi(string(sbytes[0:2]))
278 err = checkCost(cost)
286 func (p *hashed) String() string {
287 return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor)
290 func checkCost(cost int) error {
291 if cost < MinCost || cost > MaxCost {
292 return InvalidCostError(cost)