Fix incorrect password truncation in bcrypt password hashing.

The 56 char bound is bogus; Blowfish itself allows at most 448 bits
in the key schedule, but Bcrypt's modification allows up to 72 chars
for the password. Bug pointed out by Solar Designer.

Also reject work factors 0...3 since all other extant bcrypt
implementations require at least work factor 4.
Adds more bcrypt tests generated by crypt_bcrypt and OpenBSD's version.

2 files changed, 32 insertions, 4 deletions

diff --git a/doc/manual/passhash.rst b/doc/manual/passhash.rst
index b3db1f3e7..725fc5535 100644
--- a/doc/manual/passhash.rst
+++ b/doc/manual/passhash.rst
@@ -85,12 +85,22 @@ Bcrypt provides outputs that look like this::
 
   "$2a$12$7KIYdyv8Bp32WAvc.7YvI.wvRlyVn0HP/EhPmmOyMQA4YKxINO0p2"
 
+Currently only the `2a` bcrypt format is supported.
+
 .. cpp:function:: std::string generate_bcrypt(const std::string& password, \
    RandomNumberGenerator& rng, u16bit work_factor = 10)
 
-   Takes the password to hash, a rng, and a work factor. Higher values
-   increase the amount of time the algorithm runs, increasing the cost
-   of cracking attempts. The resulting hash is returned as a string.
+   Takes the password to hash, a rng, and a work factor. Higher work
+   factors increase the amount of time the algorithm runs, increasing
+   the cost of cracking attempts. The increase is exponential, so a
+   work factor of 10 takes roughly twice as long as work factor 9.
+
+   The resulting password hash is returned as a string.
+
+   Work factor must be at least 4. The bcrypt format allows up to 31,
+   but Botan currently rejects all work factors greater than 18 since
+   even that work factor requires roughly 30 seconds of computation on
+   a fast machine.
 
 .. cpp:function:: bool check_bcrypt(const std::string& password, \
    const std::string& hash)
@@ -105,7 +115,9 @@ Passhash9
 ----------------------------------------
 
 Botan also provides a password hashing technique called passhash9, in
-``passhash9.h``, which is based on PBKDF2. Its outputs look like::
+``passhash9.h``, which is based on PBKDF2.
+
+Passhash9 hashes look like::
 
   "$9$AAAKxwMGNPSdPkOKJS07Xutm3+1Cr3ytmbnkjO6LjHzCMcMQXvcT"
 
@@ -113,6 +125,11 @@ This function should be secure with the proper parameters, and will remain in
 the library for the forseeable future, but it is specific to Botan rather than
 being a widely used password hash. Prefer bcrypt.
 
+.. warning::
+
+   This password format string ("$9$") conflicts with the format used
+   for scrypt password hashes on Cisco systems.
+
 .. cpp:function:: std::string generate_passhash9(const std::string& password, \
    RandomNumberGenerator& rng, u16bit work_factor = 10, byte alg_id = 1)
 
diff --git a/doc/security.rst b/doc/security.rst
index 2ab105efd..2a46ca3b2 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -15,6 +15,17 @@ mail please use::
 This key can be found in the file ``doc/pgpkey.txt`` or online at
 https://keybase.io/jacklloyd and on most PGP keyservers.
 
+2017
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* 2017-03-23: Incorrect bcrypt computation
+
+  Botan's implementation of bcrypt password hashing scheme truncated long
+  passwords at 56 characters, instead of at bcrypt's standard 72 characters
+  limit. Passwords with lengths between these two bounds could be cracked more
+  easily than should be the case due to the final password bytes being
+  ignored. Found and reported by Solar Designer.
+
 2016
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^