Fix incorrect password truncation in bcrypt password hashing.

The 56 char bound is bogus; Blowfish itself allows at most 448 bits in the key schedule, but Bcrypt's modification allows up to 72 chars for the password. Bug pointed out by Solar Designer. Also reject work factors 0...3 since all other extant bcrypt implementations require at least work factor 4. Adds more bcrypt tests generated by crypt_bcrypt and OpenBSD's version.
author: Jack Lloyd <[email protected]> 2017-03-23 15:45:50 -0400
committer: Jack Lloyd <[email protected]> 2017-03-24 10:55:38 -0400
commit: c0901e801d72bb2fdf3a205f6debf5ed954567f8 (patch)
tree: a959f1ce5fb348d8160938a5bb4fb2070f3a6c71 /src/tests/test_passhash.cpp
parent: c936086354203ddf275435fff611d3e2c99e6975 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/tests/test_passhash.cpp b/src/tests/test_passhash.cpp
index 126b68780..1e83b8d4c 100644
--- a/src/tests/test_passhash.cpp
+++ b/src/tests/test_passhash.cpp
@@ -36,9 +36,9 @@ class Bcrypt_Tests : public Text_Based_Test
          Test::Result result("bcrypt");
          result.test_eq("correct hash accepted", Botan::check_bcrypt(password, passhash), true);
 
-         const size_t max_level = (Test::run_long_tests() ? 14 : 11);
+         const size_t max_level = (Test::run_long_tests() ? 14 : 7);
 
-         for(size_t level = 1; level <= max_level; ++level)
+         for(size_t level = 4; level <= max_level; ++level)
             {
             const std::string gen_hash = generate_bcrypt(password, Test::rng(), level);
             result.test_eq("generated hash accepted", Botan::check_bcrypt(password, gen_hash), true);
author	Jack Lloyd <[email protected]>	2017-03-23 15:45:50 -0400
committer	Jack Lloyd <[email protected]>	2017-03-24 10:55:38 -0400
commit	c0901e801d72bb2fdf3a205f6debf5ed954567f8 (patch)
tree	a959f1ce5fb348d8160938a5bb4fb2070f3a6c71 /src/tests/test_passhash.cpp
parent	c936086354203ddf275435fff611d3e2c99e6975 (diff)