Fix incorrect password truncation in bcrypt password hashing.

The 56 char bound is bogus; Blowfish itself allows at most 448 bits in the key schedule, but Bcrypt's modification allows up to 72 chars for the password. Bug pointed out by Solar Designer. Also reject work factors 0...3 since all other extant bcrypt implementations require at least work factor 4. Adds more bcrypt tests generated by crypt_bcrypt and OpenBSD's version.
author: Jack Lloyd <[email protected]> 2017-03-23 15:45:50 -0400
committer: Jack Lloyd <[email protected]> 2017-03-24 10:55:38 -0400
commit: c0901e801d72bb2fdf3a205f6debf5ed954567f8 (patch)
tree: a959f1ce5fb348d8160938a5bb4fb2070f3a6c71
parent: c936086354203ddf275435fff611d3e2c99e6975 (diff)
5 files changed, 316 insertions, 14 deletions
diff --git a/doc/manual/passhash.rst b/doc/manual/passhash.rst
index b3db1f3e7..725fc5535 100644
--- a/doc/manual/passhash.rst
+++ b/doc/manual/passhash.rst
@@ -85,12 +85,22 @@ Bcrypt provides outputs that look like this::
 
   "$2a$12$7KIYdyv8Bp32WAvc.7YvI.wvRlyVn0HP/EhPmmOyMQA4YKxINO0p2"
 
+Currently only the `2a` bcrypt format is supported.
+
 .. cpp:function:: std::string generate_bcrypt(const std::string& password, \
    RandomNumberGenerator& rng, u16bit work_factor = 10)
 
-   Takes the password to hash, a rng, and a work factor. Higher values
-   increase the amount of time the algorithm runs, increasing the cost
-   of cracking attempts. The resulting hash is returned as a string.
+   Takes the password to hash, a rng, and a work factor. Higher work
+   factors increase the amount of time the algorithm runs, increasing
+   the cost of cracking attempts. The increase is exponential, so a
+   work factor of 10 takes roughly twice as long as work factor 9.
+
+   The resulting password hash is returned as a string.
+
+   Work factor must be at least 4. The bcrypt format allows up to 31,
+   but Botan currently rejects all work factors greater than 18 since
+   even that work factor requires roughly 30 seconds of computation on
+   a fast machine.
 
 .. cpp:function:: bool check_bcrypt(const std::string& password, \
    const std::string& hash)
@@ -105,7 +115,9 @@ Passhash9
 ----------------------------------------
 
 Botan also provides a password hashing technique called passhash9, in
-``passhash9.h``, which is based on PBKDF2. Its outputs look like::
+``passhash9.h``, which is based on PBKDF2.
+
+Passhash9 hashes look like::
 
   "$9$AAAKxwMGNPSdPkOKJS07Xutm3+1Cr3ytmbnkjO6LjHzCMcMQXvcT"
 
@@ -113,6 +125,11 @@ This function should be secure with the proper parameters, and will remain in
 the library for the forseeable future, but it is specific to Botan rather than
 being a widely used password hash. Prefer bcrypt.
 
+.. warning::
+
+   This password format string ("$9$") conflicts with the format used
+   for scrypt password hashes on Cisco systems.
+
 .. cpp:function:: std::string generate_passhash9(const std::string& password, \
    RandomNumberGenerator& rng, u16bit work_factor = 10, byte alg_id = 1)
 
diff --git a/doc/security.rst b/doc/security.rst
index 2ab105efd..2a46ca3b2 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -15,6 +15,17 @@ mail please use::
 This key can be found in the file ``doc/pgpkey.txt`` or online at
 https://keybase.io/jacklloyd and on most PGP keyservers.
 
+2017
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* 2017-03-23: Incorrect bcrypt computation
+
+  Botan's implementation of bcrypt password hashing scheme truncated long
+  passwords at 56 characters, instead of at bcrypt's standard 72 characters
+  limit. Passwords with lengths between these two bounds could be cracked more
+  easily than should be the case due to the final password bytes being
+  ignored. Found and reported by Solar Designer.
+
 2016
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/src/lib/block/blowfish/blowfish.cpp b/src/lib/block/blowfish/blowfish.cpp
index 17ac00a1f..68d73cafd 100644
--- a/src/lib/block/blowfish/blowfish.cpp
+++ b/src/lib/block/blowfish/blowfish.cpp
@@ -291,27 +291,31 @@ void Blowfish::key_expansion(const uint8_t key[],
 void Blowfish::eks_key_schedule(const uint8_t key[], size_t length,
                                 const uint8_t salt[16], size_t workfactor)
    {
-   // Truncate longer passwords to the 56 byte limit Blowfish enforces
-   length = std::min<size_t>(length, 55);
-
-   if(workfactor == 0)
-      throw Invalid_Argument("Bcrypt work factor must be at least 1");
 
    /*
    * On a 2.8 GHz Core-i7, workfactor == 18 takes about 25 seconds to
    * hash a password. This seems like a reasonable upper bound for the
    * time being.
+   * Bcrypt allows up to work factor 31 (2^31 iterations)
    */
    if(workfactor > 18)
       throw Invalid_Argument("Requested Bcrypt work factor " +
-                                  std::to_string(workfactor) + " too large");
+                             std::to_string(workfactor) + " too large");
+
+   if(workfactor < 4)
+      throw Invalid_Argument("Bcrypt requires work factor at least 4");
+
+   if(length > 72)
+      {
+      // Truncate longer passwords to the 72 char bcrypt limit
+      length = 72;
+      }
 
    m_P.resize(18);
    copy_mem(m_P.data(), P_INIT, 18);
 
    m_S.resize(1024);
    copy_mem(m_S.data(), S_INIT, 1024);
-
    key_expansion(key, length, salt);
 
    const uint8_t null_salt[16] = { 0 };
diff --git a/src/tests/data/bcrypt.vec b/src/tests/data/bcrypt.vec
index c78ab970a..de0eefbd2 100644
--- a/src/tests/data/bcrypt.vec
+++ b/src/tests/data/bcrypt.vec
@@ -1,5 +1,4 @@
 
-
 # Generated by jBCrypt 0.3
 Password = 616263
 Passhash = $2a$05$DfPyLs.G6.To9fXEFgUL1O6HpYw3jIXgPcl/L3Qt3jESuWmhxtmpS
@@ -7,3 +6,274 @@ Passhash = $2a$05$DfPyLs.G6.To9fXEFgUL1O6HpYw3jIXgPcl/L3Qt3jESuWmhxtmpS
 # http://www.openwall.com/lists/john-dev/2011/06/19/2
 Password = A3
 Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq
+
+# Following values from http://download.openwall.net/pub/projects/crypt/bcrypt-tester-1.0.tar.gz
+Password = 
+Passhash = $2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy
+
+Password = 552A55
+Passhash = $2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW
+
+Password = 552A552A
+Passhash = $2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK
+
+Password = 552A552A55
+Passhash = $2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a
+
+Password = 303132333435363738396162636465666768696A6B6C6D6E6F707172737475767778797A4142434445464748494A4B4C4D4E4F505152535455565758595A303132333435363738396368617273206166746572203732206172652069676E6F726564
+Passhash = $2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui
+
+Password = A3
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq
+
+Password = FFFFA3
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e
+
+Password = FFA33334FFFFFFA3333435
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi
+
+Password = FFA3333435
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e
+
+Password = A36162
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS
+
+Password = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6368617273206166746572203732206172652069676E6F72656420617320757375616C
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6
+
+Password = AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.R9xrDjiycxMbQE2bp.vgqlYpW5wx2yy
+
+Password = 55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.9tQZzcJfm3uj2NvJ/n5xkhpqLrMpWCe
+
+# Test very long (> 256 char) password
+# Generated by https://www.dailycred.com/article/bcrypt-calculator
+Password = 4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595b
+Passhash = $2a$04$nP0HWhorPRGl309OF27N0Oluj0wfAKWClP9gDcqOU1D.VF4x6bHTi
+
+# Generated by OpenBSD's bcrypt code
+
+Password = 
+Passhash = $2a$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
+
+Password = 41
+Passhash = $2a$04$......................1ylfG1rzUcx/p4E2WWXbK1hNBjulV/e
+
+Password = 4142
+Passhash = $2a$04$......................eLmsldq6Kef4lNzfsH3GLn5XEr9/dky
+
+Password = 414243
+Passhash = $2a$04$......................SeoxjjNIHEA7B01Yt2Fq2YNSKittPem
+
+Password = 41424344
+Passhash = $2a$04$......................5UWApRNcV8gDN6km6KdMC7MJRnFLJLi
+
+Password = 4142434445
+Passhash = $2a$04$......................aqTIOQ1wy6xo2DKiG2jtVHuLfBC.Cte
+
+Password = 414243444546
+Passhash = $2a$04$......................3eUc6EVdIHLPSHsfENd73y1qHUgeET6
+
+Password = 41424344454647
+Passhash = $2a$04$......................FuV659LudNIL0yJfqrb.JB0ab1eCXCy
+
+Password = 4142434445464748
+Passhash = $2a$04$......................1WDT31a/PBuYi4hmam2gvmgA54t9HUO
+
+Password = 414243444546474849
+Passhash = $2a$04$......................aHMfyD101pOa19Avcj8wFk7x8JyP/Oi
+
+Password = 4142434445464748494A
+Passhash = $2a$04$......................MQooKLE8.P36GbWDUbrk2NT3PYZsXOG
+
+Password = 4142434445464748494A4B
+Passhash = $2a$04$......................eprYLc9vXOwDMCyqLAGvznMqJmzEEzu
+
+Password = 4142434445464748494A4B4C
+Passhash = $2a$04$......................wg1/merzamWae4FzZdzXVFCzeXcdRBe
+
+Password = 4142434445464748494A4B4C4D
+Passhash = $2a$04$......................F45.kWUMV0S88ts9G8w1ySdc0eL1QsO
+
+Password = 4142434445464748494A4B4C4D4E
+Passhash = $2a$04$......................b5f2SSP91ThKR9rHlejbqwpgGTKgEPW
+
+Password = 4142434445464748494A4B4C4D4E4F
+Passhash = $2a$04$......................GAUIFe599t9404.M92TX4qg.qlyozvu
+
+Password = 4142434445464748494A4B4C4D4E4F50
+Passhash = $2a$04$......................hGf/sBFCzxtt7aLth.CkSiqMLfMNkky
+
+Password = 4142434445464748494A4B4C4D4E4F5051
+Passhash = $2a$04$......................wxi.5vCbqbfYRB4Ptb9YMVEedkzkg2G
+
+Password = 4142434445464748494A4B4C4D4E4F505152
+Passhash = $2a$04$......................fEQhKOa7gmjs2X6pPxkAG4Ua1CK3/MG
+
+Password = 4142434445464748494A4B4C4D4E4F50515253
+Passhash = $2a$04$......................GeXtzTa.p8bAbpHdSzLDDvcT5z8rd2G
+
+Password = 4142434445464748494A4B4C4D4E4F5051525354
+Passhash = $2a$04$......................D.nuIHnFpRTTietbZXCpTqMLktmgvOG
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455
+Passhash = $2a$04$......................0rP0aIe6CiaXgLviO7CrReRMoq4Z76u
+
+Password = 4142434445464748494A4B4C4D4E4F50515253545556
+Passhash = $2a$04$......................2nuK3e9hYlR3ZpUulSwuH9XEFf/TwB.
+
+Password = 4142434445464748494A4B4C4D4E4F5051525354555657
+Passhash = $2a$04$......................pFb7ADMM2CyyVheTwTO4ljTOaAd.SO2
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758
+Passhash = $2a$04$......................Hb6CQJzZLi0jF2iRoWF/LytXl0UIlGi
+
+Password = 4142434445464748494A4B4C4D4E4F50515253545556575859
+Passhash = $2a$04$......................hDkGLLxi1xlzQ2l8yCVZW8STSQwY8ca
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A
+Passhash = $2a$04$......................rEzQdCIvx3710X.o8rPHje0DJNW7nby
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B
+Passhash = $2a$04$......................YRx250oXqZ8PAF9VCwDd3tMHvNG/EYS
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C
+Passhash = $2a$04$......................8VVYuFwpyz50KoSQSww6HtAcM.puvFK
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D
+Passhash = $2a$04$......................U/uWNlMQ1nCojM9KJYXst0H..Vr3K7e
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E
+Passhash = $2a$04$......................JKICUBStZDD90QJxUirvbW6XhMN3k0i
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+Passhash = $2a$04$......................XQ1Pz.WGSIGPbun4umJ/uKtAi5mImNK
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60
+Passhash = $2a$04$......................zK87xeHJykwKa7B3WqaREFx8LkTw7w.
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061
+Passhash = $2a$04$......................DRU9poimCmGTetm8ijeul2OZ7Ghgyn.
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162
+Passhash = $2a$04$......................cOoYOK6c366gK6BBmcYlCPqGGy7/Yce
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263
+Passhash = $2a$04$......................f31Ni98iYpbJzxJoqhWuxvB8PPUOc5G
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364
+Passhash = $2a$04$......................uZLqllZzmsIDcmdihrBslz0A.WJp5lC
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465
+Passhash = $2a$04$......................Mv6hK0wgc5CxkxPVhyit7DjpOLHCRme
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263646566
+Passhash = $2a$04$......................40cOEgw5sV8TKGjzB4JF.yiTJCBJGsq
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364656667
+Passhash = $2a$04$......................DR/BFDmrsl0CqGeCo5EYawLtrLL2PF6
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768
+Passhash = $2a$04$......................7VtgAnmfpC6qryaX7qsvlfCvk2ooW4S
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263646566676869
+Passhash = $2a$04$......................Eo0q.nfaVXn4NIfoyveRiLRKHSMDAHW
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A
+Passhash = $2a$04$......................kfxex5FfUJhJQYogm.8FloXjQjvcl..
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B
+Passhash = $2a$04$......................fmpuNlu0eW7fsRBEbIlZs/ZIP0a9Dby
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C
+Passhash = $2a$04$......................mI0Rbwk/yFUkA/TLKmMfSMu4KqSGzZq
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D
+Passhash = $2a$04$......................jqCcJxoUtwRpIFnCPZtrn2zpFY6tU6a
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E
+Passhash = $2a$04$......................FGzij2Dvl2qbVhtOfDhvGodD0BaH1zO
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
+Passhash = $2a$04$......................8gWGyOqSrT/N84xajt5y1cc7kdYTS1C
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70
+Passhash = $2a$04$......................n0uapt/O8ZGLLoTYi8RVz5gtLzcH9OG
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071
+Passhash = $2a$04$......................snIIPVZopm0TC4WLrpTNtW136us.66S
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172
+Passhash = $2a$04$......................xJlz/E02Am2/sxO97jDYuFkxKMCNPuC
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70717273
+Passhash = $2a$04$......................ci6b5BSX.Gt1z2O5on9.k9Po1q6nJMe
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071727374
+Passhash = $2a$04$......................JGYY7FRsBznRZJfr8gNUgmRIekndoEu
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475
+Passhash = $2a$04$......................c.8sucK9TMUPlwbux0u2EjoWeS7exm.
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70717273747576
+Passhash = $2a$04$......................2iQopzqprPYwjRJTAJnVPO00t8/HyT.
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071727374757677
+Passhash = $2a$04$......................COrfw5/Mj6Js8CePzOVuowO57dzDlXq
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778
+Passhash = $2a$04$......................M/SrGocfiSlHaOnFqqV0RGjlcuPM2xO
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70717273747576777879
+Passhash = $2a$04$......................gPjyepv.g7qMZXDTwcEjfks0xFwQDsW
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A
+Passhash = $2a$04$......................YCdU1yffMxpqGnbkhm4j11QBUQzr6vW
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B
+Passhash = $2a$04$......................PFZW7x0F2WdDhhfr9IbRIJhaUrlT/4.
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C
+Passhash = $2a$04$......................2gd/Za4BdTci7v1rdamN0XZ5lk5PnuO
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D
+Passhash = $2a$04$......................fbhaW8SPcJjDFtC9ruTvwIZhbhoT6Ve
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E
+Passhash = $2a$04$......................yB12tMsxREReDqkSHzR6G890abKjKHi
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F
+Passhash = $2a$04$......................yyR3U//QnDydsWfSIZwCsrzXqwdED7e
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80
+Passhash = $2a$04$......................IWK3CyxBeu3hZXP./rSl1gS.CHOl51q
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
+Passhash = $2a$04$......................OrN52h3sUOH7u7aUFZLLPecPAC6pDUy
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182
+Passhash = $2a$04$......................7czL69h9T6Z84Yen8wrtzeNUPZIksLq
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80818283
+Passhash = $2a$04$......................hlFxmtvTDFEJ/W7ViRXVzIBmwELyxde
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081828384
+Passhash = $2a$04$......................wtpFiSjRvlfidwkUDR2EefHBYOStMyO
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485
+Passhash = $2a$04$......................fFhiRdC6u8ZnZNqxK5vIyMinSFC4HjG
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80818283848586
+Passhash = $2a$04$......................FCJRl4rapF1jLog3AjcYUtLupr62MHW
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081828384858687
+Passhash = $2a$04$......................qt4eTaEVpLnPbEit4noon6YMRxjO8kq
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788
+Passhash = $2a$04$....................../VvYrJip/blbJEy92Sih8t0k26f242.
+
+# This demonstrates truncation of passwords > 72 chars, identical to previous hash
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80818283848586878889
+Passhash = $2a$04$....................../VvYrJip/blbJEy92Sih8t0k26f242.
+
diff --git a/src/tests/test_passhash.cpp b/src/tests/test_passhash.cpp
index 126b68780..1e83b8d4c 100644
--- a/src/tests/test_passhash.cpp
+++ b/src/tests/test_passhash.cpp
@@ -36,9 +36,9 @@ class Bcrypt_Tests : public Text_Based_Test
          Test::Result result("bcrypt");
          result.test_eq("correct hash accepted", Botan::check_bcrypt(password, passhash), true);
 
-         const size_t max_level = (Test::run_long_tests() ? 14 : 11);
+         const size_t max_level = (Test::run_long_tests() ? 14 : 7);
 
-         for(size_t level = 1; level <= max_level; ++level)
+         for(size_t level = 4; level <= max_level; ++level)
             {
             const std::string gen_hash = generate_bcrypt(password, Test::rng(), level);
             result.test_eq("generated hash accepted", Botan::check_bcrypt(password, gen_hash), true);
author	Jack Lloyd <[email protected]>	2017-03-23 15:45:50 -0400
committer	Jack Lloyd <[email protected]>	2017-03-24 10:55:38 -0400
commit	c0901e801d72bb2fdf3a205f6debf5ed954567f8 (patch)
tree	a959f1ce5fb348d8160938a5bb4fb2070f3a6c71
parent	c936086354203ddf275435fff611d3e2c99e6975 (diff)