diff options
author | Jack Lloyd <[email protected]> | 2017-03-28 11:49:10 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-03-28 11:49:10 -0400 |
commit | 6378305fb557ddac52b5f0e9ca69eac1d10bb541 (patch) | |
tree | 37119bbef743a949fdd3a713e21b7d432b078ee3 | |
parent | 5c54bff2e4a4c433500dbef77d1088dffb202464 (diff) | |
parent | d6ae3dccc2909e03c550ebdf7630a4fc3893557e (diff) |
Merge GH #938 Fix incorrect bcrypt truncation
-rw-r--r-- | doc/manual/passhash.rst | 25 | ||||
-rw-r--r-- | doc/security.rst | 11 | ||||
-rw-r--r-- | news.rst | 4 | ||||
-rw-r--r-- | src/lib/block/blowfish/blowfish.cpp | 18 | ||||
-rw-r--r-- | src/tests/data/bcrypt.vec | 272 | ||||
-rw-r--r-- | src/tests/test_passhash.cpp | 26 |
6 files changed, 341 insertions, 15 deletions
diff --git a/doc/manual/passhash.rst b/doc/manual/passhash.rst index b3db1f3e7..725fc5535 100644 --- a/doc/manual/passhash.rst +++ b/doc/manual/passhash.rst @@ -85,12 +85,22 @@ Bcrypt provides outputs that look like this:: "$2a$12$7KIYdyv8Bp32WAvc.7YvI.wvRlyVn0HP/EhPmmOyMQA4YKxINO0p2" +Currently only the `2a` bcrypt format is supported. + .. cpp:function:: std::string generate_bcrypt(const std::string& password, \ RandomNumberGenerator& rng, u16bit work_factor = 10) - Takes the password to hash, a rng, and a work factor. Higher values - increase the amount of time the algorithm runs, increasing the cost - of cracking attempts. The resulting hash is returned as a string. + Takes the password to hash, a rng, and a work factor. Higher work + factors increase the amount of time the algorithm runs, increasing + the cost of cracking attempts. The increase is exponential, so a + work factor of 10 takes roughly twice as long as work factor 9. + + The resulting password hash is returned as a string. + + Work factor must be at least 4. The bcrypt format allows up to 31, + but Botan currently rejects all work factors greater than 18 since + even that work factor requires roughly 30 seconds of computation on + a fast machine. .. cpp:function:: bool check_bcrypt(const std::string& password, \ const std::string& hash) @@ -105,7 +115,9 @@ Passhash9 ---------------------------------------- Botan also provides a password hashing technique called passhash9, in -``passhash9.h``, which is based on PBKDF2. Its outputs look like:: +``passhash9.h``, which is based on PBKDF2. + +Passhash9 hashes look like:: "$9$AAAKxwMGNPSdPkOKJS07Xutm3+1Cr3ytmbnkjO6LjHzCMcMQXvcT" @@ -113,6 +125,11 @@ This function should be secure with the proper parameters, and will remain in the library for the forseeable future, but it is specific to Botan rather than being a widely used password hash. Prefer bcrypt. +.. warning:: + + This password format string ("$9$") conflicts with the format used + for scrypt password hashes on Cisco systems. + .. cpp:function:: std::string generate_passhash9(const std::string& password, \ RandomNumberGenerator& rng, u16bit work_factor = 10, byte alg_id = 1) diff --git a/doc/security.rst b/doc/security.rst index 2ab105efd..e6467f675 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -15,6 +15,17 @@ mail please use:: This key can be found in the file ``doc/pgpkey.txt`` or online at https://keybase.io/jacklloyd and on most PGP keyservers. +2017 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* 2017-03-23 (CVE-2016-7252): Incorrect bcrypt computation + + Botan's implementation of bcrypt password hashing scheme truncated long + passwords at 56 characters, instead of at bcrypt's standard 72 characters + limit. Passwords with lengths between these two bounds could be cracked more + easily than should be the case due to the final password bytes being + ignored. Found and reported by Solar Designer. + 2016 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -4,6 +4,10 @@ Release Notes Version 2.1.0, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +* Fix incorrect truncation in Bcrypt. Passwords in length between 56 + and 72 characters were truncated at 56 characters. Found and + reported by Solar Designer. (CVE-2017-7252) + * Support a 0-length IV in ChaCha stream cipher. Such an IV is treated identically to an 8-byte IV of all zeros. diff --git a/src/lib/block/blowfish/blowfish.cpp b/src/lib/block/blowfish/blowfish.cpp index 17ac00a1f..68d73cafd 100644 --- a/src/lib/block/blowfish/blowfish.cpp +++ b/src/lib/block/blowfish/blowfish.cpp @@ -291,27 +291,31 @@ void Blowfish::key_expansion(const uint8_t key[], void Blowfish::eks_key_schedule(const uint8_t key[], size_t length, const uint8_t salt[16], size_t workfactor) { - // Truncate longer passwords to the 56 byte limit Blowfish enforces - length = std::min<size_t>(length, 55); - - if(workfactor == 0) - throw Invalid_Argument("Bcrypt work factor must be at least 1"); /* * On a 2.8 GHz Core-i7, workfactor == 18 takes about 25 seconds to * hash a password. This seems like a reasonable upper bound for the * time being. + * Bcrypt allows up to work factor 31 (2^31 iterations) */ if(workfactor > 18) throw Invalid_Argument("Requested Bcrypt work factor " + - std::to_string(workfactor) + " too large"); + std::to_string(workfactor) + " too large"); + + if(workfactor < 4) + throw Invalid_Argument("Bcrypt requires work factor at least 4"); + + if(length > 72) + { + // Truncate longer passwords to the 72 char bcrypt limit + length = 72; + } m_P.resize(18); copy_mem(m_P.data(), P_INIT, 18); m_S.resize(1024); copy_mem(m_S.data(), S_INIT, 1024); - key_expansion(key, length, salt); const uint8_t null_salt[16] = { 0 }; diff --git a/src/tests/data/bcrypt.vec b/src/tests/data/bcrypt.vec index c78ab970a..de0eefbd2 100644 --- a/src/tests/data/bcrypt.vec +++ b/src/tests/data/bcrypt.vec @@ -1,5 +1,4 @@ - # Generated by jBCrypt 0.3 Password = 616263 Passhash = $2a$05$DfPyLs.G6.To9fXEFgUL1O6HpYw3jIXgPcl/L3Qt3jESuWmhxtmpS @@ -7,3 +6,274 @@ Passhash = $2a$05$DfPyLs.G6.To9fXEFgUL1O6HpYw3jIXgPcl/L3Qt3jESuWmhxtmpS # http://www.openwall.com/lists/john-dev/2011/06/19/2 Password = A3 Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq + +# Following values from http://download.openwall.net/pub/projects/crypt/bcrypt-tester-1.0.tar.gz +Password = +Passhash = $2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy + +Password = 552A55 +Passhash = $2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW + +Password = 552A552A +Passhash = $2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK + +Password = 552A552A55 +Passhash = $2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a + +Password = 303132333435363738396162636465666768696A6B6C6D6E6F707172737475767778797A4142434445464748494A4B4C4D4E4F505152535455565758595A303132333435363738396368617273206166746572203732206172652069676E6F726564 +Passhash = $2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui + +Password = A3 +Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq + +Password = FFFFA3 +Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e + +Password = FFA33334FFFFFFA3333435 +Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi + +Password = FFA3333435 +Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e + +Password = A36162 +Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS + +Password = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6368617273206166746572203732206172652069676E6F72656420617320757375616C +Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6 + +Password = AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55 +Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.R9xrDjiycxMbQE2bp.vgqlYpW5wx2yy + +Password = 55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF +Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.9tQZzcJfm3uj2NvJ/n5xkhpqLrMpWCe + +# Test very long (> 256 char) password +# Generated by https://www.dailycred.com/article/bcrypt-calculator +Password = 4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595b +Passhash = $2a$04$nP0HWhorPRGl309OF27N0Oluj0wfAKWClP9gDcqOU1D.VF4x6bHTi + +# Generated by OpenBSD's bcrypt code + +Password = +Passhash = $2a$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO + +Password = 41 +Passhash = $2a$04$......................1ylfG1rzUcx/p4E2WWXbK1hNBjulV/e + +Password = 4142 +Passhash = $2a$04$......................eLmsldq6Kef4lNzfsH3GLn5XEr9/dky + +Password = 414243 +Passhash = $2a$04$......................SeoxjjNIHEA7B01Yt2Fq2YNSKittPem + +Password = 41424344 +Passhash = $2a$04$......................5UWApRNcV8gDN6km6KdMC7MJRnFLJLi + +Password = 4142434445 +Passhash = $2a$04$......................aqTIOQ1wy6xo2DKiG2jtVHuLfBC.Cte + +Password = 414243444546 +Passhash = $2a$04$......................3eUc6EVdIHLPSHsfENd73y1qHUgeET6 + +Password = 41424344454647 +Passhash = $2a$04$......................FuV659LudNIL0yJfqrb.JB0ab1eCXCy + +Password = 4142434445464748 +Passhash = $2a$04$......................1WDT31a/PBuYi4hmam2gvmgA54t9HUO + +Password = 414243444546474849 +Passhash = $2a$04$......................aHMfyD101pOa19Avcj8wFk7x8JyP/Oi + +Password = 4142434445464748494A +Passhash = $2a$04$......................MQooKLE8.P36GbWDUbrk2NT3PYZsXOG + +Password = 4142434445464748494A4B +Passhash = $2a$04$......................eprYLc9vXOwDMCyqLAGvznMqJmzEEzu + +Password = 4142434445464748494A4B4C +Passhash = $2a$04$......................wg1/merzamWae4FzZdzXVFCzeXcdRBe + +Password = 4142434445464748494A4B4C4D +Passhash = $2a$04$......................F45.kWUMV0S88ts9G8w1ySdc0eL1QsO + +Password = 4142434445464748494A4B4C4D4E +Passhash = $2a$04$......................b5f2SSP91ThKR9rHlejbqwpgGTKgEPW + +Password = 4142434445464748494A4B4C4D4E4F +Passhash = $2a$04$......................GAUIFe599t9404.M92TX4qg.qlyozvu + +Password = 4142434445464748494A4B4C4D4E4F50 +Passhash = $2a$04$......................hGf/sBFCzxtt7aLth.CkSiqMLfMNkky + +Password = 4142434445464748494A4B4C4D4E4F5051 +Passhash = $2a$04$......................wxi.5vCbqbfYRB4Ptb9YMVEedkzkg2G + +Password = 4142434445464748494A4B4C4D4E4F505152 +Passhash = $2a$04$......................fEQhKOa7gmjs2X6pPxkAG4Ua1CK3/MG + +Password = 4142434445464748494A4B4C4D4E4F50515253 +Passhash = $2a$04$......................GeXtzTa.p8bAbpHdSzLDDvcT5z8rd2G + +Password = 4142434445464748494A4B4C4D4E4F5051525354 +Passhash = $2a$04$......................D.nuIHnFpRTTietbZXCpTqMLktmgvOG + +Password = 4142434445464748494A4B4C4D4E4F505152535455 +Passhash = $2a$04$......................0rP0aIe6CiaXgLviO7CrReRMoq4Z76u + +Password = 4142434445464748494A4B4C4D4E4F50515253545556 +Passhash = $2a$04$......................2nuK3e9hYlR3ZpUulSwuH9XEFf/TwB. + +Password = 4142434445464748494A4B4C4D4E4F5051525354555657 +Passhash = $2a$04$......................pFb7ADMM2CyyVheTwTO4ljTOaAd.SO2 + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758 +Passhash = $2a$04$......................Hb6CQJzZLi0jF2iRoWF/LytXl0UIlGi + +Password = 4142434445464748494A4B4C4D4E4F50515253545556575859 +Passhash = $2a$04$......................hDkGLLxi1xlzQ2l8yCVZW8STSQwY8ca + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A +Passhash = $2a$04$......................rEzQdCIvx3710X.o8rPHje0DJNW7nby + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B +Passhash = $2a$04$......................YRx250oXqZ8PAF9VCwDd3tMHvNG/EYS + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C +Passhash = $2a$04$......................8VVYuFwpyz50KoSQSww6HtAcM.puvFK + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D +Passhash = $2a$04$......................U/uWNlMQ1nCojM9KJYXst0H..Vr3K7e + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E +Passhash = $2a$04$......................JKICUBStZDD90QJxUirvbW6XhMN3k0i + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +Passhash = $2a$04$......................XQ1Pz.WGSIGPbun4umJ/uKtAi5mImNK + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60 +Passhash = $2a$04$......................zK87xeHJykwKa7B3WqaREFx8LkTw7w. + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061 +Passhash = $2a$04$......................DRU9poimCmGTetm8ijeul2OZ7Ghgyn. + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162 +Passhash = $2a$04$......................cOoYOK6c366gK6BBmcYlCPqGGy7/Yce + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263 +Passhash = $2a$04$......................f31Ni98iYpbJzxJoqhWuxvB8PPUOc5G + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364 +Passhash = $2a$04$......................uZLqllZzmsIDcmdihrBslz0A.WJp5lC + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465 +Passhash = $2a$04$......................Mv6hK0wgc5CxkxPVhyit7DjpOLHCRme + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263646566 +Passhash = $2a$04$......................40cOEgw5sV8TKGjzB4JF.yiTJCBJGsq + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364656667 +Passhash = $2a$04$......................DR/BFDmrsl0CqGeCo5EYawLtrLL2PF6 + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768 +Passhash = $2a$04$......................7VtgAnmfpC6qryaX7qsvlfCvk2ooW4S + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263646566676869 +Passhash = $2a$04$......................Eo0q.nfaVXn4NIfoyveRiLRKHSMDAHW + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A +Passhash = $2a$04$......................kfxex5FfUJhJQYogm.8FloXjQjvcl.. + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B +Passhash = $2a$04$......................fmpuNlu0eW7fsRBEbIlZs/ZIP0a9Dby + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C +Passhash = $2a$04$......................mI0Rbwk/yFUkA/TLKmMfSMu4KqSGzZq + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D +Passhash = $2a$04$......................jqCcJxoUtwRpIFnCPZtrn2zpFY6tU6a + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E +Passhash = $2a$04$......................FGzij2Dvl2qbVhtOfDhvGodD0BaH1zO + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F +Passhash = $2a$04$......................8gWGyOqSrT/N84xajt5y1cc7kdYTS1C + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70 +Passhash = $2a$04$......................n0uapt/O8ZGLLoTYi8RVz5gtLzcH9OG + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071 +Passhash = $2a$04$......................snIIPVZopm0TC4WLrpTNtW136us.66S + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172 +Passhash = $2a$04$......................xJlz/E02Am2/sxO97jDYuFkxKMCNPuC + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70717273 +Passhash = $2a$04$......................ci6b5BSX.Gt1z2O5on9.k9Po1q6nJMe + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071727374 +Passhash = $2a$04$......................JGYY7FRsBznRZJfr8gNUgmRIekndoEu + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475 +Passhash = $2a$04$......................c.8sucK9TMUPlwbux0u2EjoWeS7exm. + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70717273747576 +Passhash = $2a$04$......................2iQopzqprPYwjRJTAJnVPO00t8/HyT. + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071727374757677 +Passhash = $2a$04$......................COrfw5/Mj6Js8CePzOVuowO57dzDlXq + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778 +Passhash = $2a$04$......................M/SrGocfiSlHaOnFqqV0RGjlcuPM2xO + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70717273747576777879 +Passhash = $2a$04$......................gPjyepv.g7qMZXDTwcEjfks0xFwQDsW + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A +Passhash = $2a$04$......................YCdU1yffMxpqGnbkhm4j11QBUQzr6vW + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B +Passhash = $2a$04$......................PFZW7x0F2WdDhhfr9IbRIJhaUrlT/4. + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C +Passhash = $2a$04$......................2gd/Za4BdTci7v1rdamN0XZ5lk5PnuO + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D +Passhash = $2a$04$......................fbhaW8SPcJjDFtC9ruTvwIZhbhoT6Ve + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E +Passhash = $2a$04$......................yB12tMsxREReDqkSHzR6G890abKjKHi + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F +Passhash = $2a$04$......................yyR3U//QnDydsWfSIZwCsrzXqwdED7e + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80 +Passhash = $2a$04$......................IWK3CyxBeu3hZXP./rSl1gS.CHOl51q + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081 +Passhash = $2a$04$......................OrN52h3sUOH7u7aUFZLLPecPAC6pDUy + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182 +Passhash = $2a$04$......................7czL69h9T6Z84Yen8wrtzeNUPZIksLq + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80818283 +Passhash = $2a$04$......................hlFxmtvTDFEJ/W7ViRXVzIBmwELyxde + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081828384 +Passhash = $2a$04$......................wtpFiSjRvlfidwkUDR2EefHBYOStMyO + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485 +Passhash = $2a$04$......................fFhiRdC6u8ZnZNqxK5vIyMinSFC4HjG + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80818283848586 +Passhash = $2a$04$......................FCJRl4rapF1jLog3AjcYUtLupr62MHW + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081828384858687 +Passhash = $2a$04$......................qt4eTaEVpLnPbEit4noon6YMRxjO8kq + +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788 +Passhash = $2a$04$....................../VvYrJip/blbJEy92Sih8t0k26f242. + +# This demonstrates truncation of passwords > 72 chars, identical to previous hash +Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80818283848586878889 +Passhash = $2a$04$....................../VvYrJip/blbJEy92Sih8t0k26f242. + diff --git a/src/tests/test_passhash.cpp b/src/tests/test_passhash.cpp index 126b68780..05f53780a 100644 --- a/src/tests/test_passhash.cpp +++ b/src/tests/test_passhash.cpp @@ -36,9 +36,8 @@ class Bcrypt_Tests : public Text_Based_Test Test::Result result("bcrypt"); result.test_eq("correct hash accepted", Botan::check_bcrypt(password, passhash), true); - const size_t max_level = (Test::run_long_tests() ? 14 : 11); - - for(size_t level = 1; level <= max_level; ++level) + // self-test low levels for each test password + for(size_t level = 4; level <= 6; ++level) { const std::string gen_hash = generate_bcrypt(password, Test::rng(), level); result.test_eq("generated hash accepted", Botan::check_bcrypt(password, gen_hash), true); @@ -46,6 +45,27 @@ class Bcrypt_Tests : public Text_Based_Test return result; } + + std::vector<Test::Result> run_final_tests() + { + Test::Result result("bcrypt"); + + uint64_t start = Test::timestamp(); + + const std::string password = "ag00d1_2BE5ur3"; + + const size_t max_level = (Test::run_long_tests() ? 15 : 10); + + for(size_t level = 4; level <= max_level; ++level) + { + const std::string gen_hash = generate_bcrypt(password, Test::rng(), level); + result.test_eq("generated hash accepted", Botan::check_bcrypt(password, gen_hash), true); + } + + result.set_ns_consumed(Test::timestamp() - start); + + return {result}; + } }; BOTAN_REGISTER_TEST("bcrypt", Bcrypt_Tests); |