diff options
author | lloyd <[email protected]> | 2013-04-04 14:31:10 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2013-04-04 14:31:10 +0000 |
commit | 1f1b5ac0d8bf3646c72bd2cb0616fd1c06e21320 (patch) | |
tree | f222099208c9c7e371c5826ea0d131f73a53fd06 | |
parent | 6f4719d43374213a5057ea8689b4c95b5c6ad4ca (diff) |
Make SHA-256 the default instead of SHA-1 in passhash9 - it's been
supported since 1.8.10, so shouldn't be any problems there.
Add support for SHA-384 and SHA-512.
Check for work factors over 512 and reject for now as too large.
-rw-r--r-- | src/passhash/passhash9/passhash9.cpp | 16 | ||||
-rw-r--r-- | src/passhash/passhash9/passhash9.h | 4 |
2 files changed, 16 insertions, 4 deletions
diff --git a/src/passhash/passhash9/passhash9.cpp b/src/passhash/passhash9/passhash9.cpp index af7ed761b..eeebb58d4 100644 --- a/src/passhash/passhash9/passhash9.cpp +++ b/src/passhash/passhash9/passhash9.cpp @@ -37,6 +37,10 @@ MessageAuthenticationCode* get_pbkdf_prf(byte alg_id) return af.make_mac("HMAC(SHA-256)"); else if(alg_id == 2) return af.make_mac("CMAC(Blowfish)"); + else if(alg_id == 3) + return af.make_mac("CMAC(SHA-384)"); + else if(alg_id == 4) + return af.make_mac("CMAC(SHA-512)"); } catch(Algorithm_Not_Found) {} @@ -112,12 +116,18 @@ bool check_passhash9(const std::string& pass, const std::string& hash) byte alg_id = bin[0]; - const size_t kdf_iterations = - WORK_FACTOR_SCALE * load_be<u16bit>(&bin[ALGID_BYTES], 0); + const size_t work_factor = load_be<u16bit>(&bin[ALGID_BYTES], 0); - if(kdf_iterations == 0) + // Bug in the format, bad states shouldn't be representable, but are... + if(work_factor == 0) return false; + if(work_factor > 512) + throw std::invalid_argument("Requested Bcrypt work factor " + + std::to_string(work_factor) + " too large"); + + const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor; + MessageAuthenticationCode* pbkdf_prf = get_pbkdf_prf(alg_id); if(!pbkdf_prf) diff --git a/src/passhash/passhash9/passhash9.h b/src/passhash/passhash9/passhash9.h index 3c0a4be51..5fd0a1bf8 100644 --- a/src/passhash/passhash9/passhash9.h +++ b/src/passhash/passhash9/passhash9.h @@ -21,12 +21,14 @@ namespace Botan { * 0 is HMAC(SHA-1) * 1 is HMAC(SHA-256) * 2 is CMAC(Blowfish) +* 3 is HMAC(SHA-384) +* 4 is HMAC(SHA-512) * all other values are currently undefined */ std::string BOTAN_DLL generate_passhash9(const std::string& password, RandomNumberGenerator& rng, u16bit work_factor = 10, - byte alg_id = 0); + byte alg_id = 1); /** * Check a previously created password hash |