Password hashing is a pretty useful service, really. Move the guts of

the passhash example to the library. Support variable work factors;
default work factor of 10 takes about half a second to do one password
on my Core2. Switch to using SHA-512 instead of SHA-1 in PBKDF2. To keep
the output evenly sized for base64 purposes, reduce PBKDF2 output size by
one byte (to 112 bits).

3 files changed, 125 insertions, 0 deletions

diff --git a/src/constructs/passhash/info.txt b/src/constructs/passhash/info.txt
new file mode 100644
index 000000000..b2f54ef0a
--- /dev/null
+++ b/src/constructs/passhash/info.txt
@@ -0,0 +1,10 @@
+define PASSHASH
+
+<requires>
+pbkdf2
+sha2
+hmac
+rng
+base64
+</requires>
+
diff --git a/src/constructs/passhash/passhash.cpp b/src/constructs/passhash/passhash.cpp
new file mode 100644
index 000000000..dade15ddb
--- /dev/null
+++ b/src/constructs/passhash/passhash.cpp
@@ -0,0 +1,80 @@
+/*
+* Password Hashing
+* (C) 2010 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/passhash.h>
+#include <botan/pbkdf2.h>
+#include <botan/hmac.h>
+#include <botan/sha2_64.h>
+#include <botan/base64.h>
+#include <botan/pipe.h>
+
+namespace Botan {
+
+namespace {
+
+const u32bit SALT_BYTES = 8; // 64 bits of salt
+const u32bit PBKDF_OUTPUT_LEN = 15; // 112 bits output
+const u32bit WORK_FACTOR_SCALE = 10000;
+
+}
+
+std::string password_hash(const std::string& pass,
+                          RandomNumberGenerator& rng,
+                          byte work_factor)
+   {
+   PKCS5_PBKDF2 kdf(new HMAC(new SHA_512));
+
+   SecureVector<byte> salt(SALT_BYTES);
+   rng.randomize(&salt[0], salt.size());
+
+   u32bit kdf_iterations = WORK_FACTOR_SCALE * work_factor;
+
+   SecureVector<byte> pbkdf2_output =
+      kdf.derive_key(PBKDF_OUTPUT_LEN, pass,
+                     &salt[0], salt.size(),
+                     kdf_iterations).bits_of();
+
+   Pipe pipe(new Base64_Encoder);
+   pipe.start_msg();
+   pipe.write(work_factor);
+   pipe.write(salt);
+   pipe.write(pbkdf2_output);
+   pipe.end_msg();
+
+   return pipe.read_all_as_string();
+   }
+
+bool password_hash_ok(const std::string& pass, const std::string& hash)
+   {
+   Pipe pipe(new Base64_Decoder);
+   pipe.start_msg();
+   pipe.write(hash);
+   pipe.end_msg();
+
+   SecureVector<byte> bin = pipe.read_all();
+
+   if(bin.size() != (1 + PBKDF_OUTPUT_LEN + SALT_BYTES))
+      return false;
+
+   u32bit kdf_iterations = WORK_FACTOR_SCALE * bin[0];
+
+   if(kdf_iterations == 0)
+      return false;
+
+   PKCS5_PBKDF2 kdf(new HMAC(new SHA_512));
+
+   SecureVector<byte> cmp = kdf.derive_key(
+      PBKDF_OUTPUT_LEN, pass,
+      &bin[1], SALT_BYTES,
+      kdf_iterations).bits_of();
+
+   return same_mem(cmp.begin(),
+                   bin.begin() + 1 + SALT_BYTES,
+                   PBKDF_OUTPUT_LEN);
+   }
+
+}
diff --git a/src/constructs/passhash/passhash.h b/src/constructs/passhash/passhash.h
new file mode 100644
index 000000000..e3b0419fe
--- /dev/null
+++ b/src/constructs/passhash/passhash.h
@@ -0,0 +1,35 @@
+/*
+* Password Hashing
+* (C) 2010 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_PASSHASH_H__
+#define BOTAN_PASSHASH_H__
+
+#include <botan/rng.h>
+
+namespace Botan {
+
+/**
+* Create a password hash using PBKDF2
+* @param password the password
+* @param rng a random number generator
+* @Param work_factor how much work to do to slow down guessing attacks
+*/
+std::string BOTAN_DLL password_hash(const std::string& password,
+                                    RandomNumberGenerator& rng,
+                                    byte work_factor = 10);
+
+/**
+* Check a previously created password hash
+* @param password the password to check against
+* @param hash the stored hash to check against
+*/
+bool BOTAN_DLL password_hash_ok(const std::string& password,
+                                const std::string& hash);
+
+}
+
+#endif