6 files changed, 341 insertions, 15 deletions

diff --git a/doc/manual/passhash.rst b/doc/manual/passhash.rst
index b3db1f3e7..725fc5535 100644
--- a/doc/manual/passhash.rst
+++ b/doc/manual/passhash.rst
@@ -85,12 +85,22 @@ Bcrypt provides outputs that look like this::
 
   "$2a$12$7KIYdyv8Bp32WAvc.7YvI.wvRlyVn0HP/EhPmmOyMQA4YKxINO0p2"
 
+Currently only the `2a` bcrypt format is supported.
+
 .. cpp:function:: std::string generate_bcrypt(const std::string& password, \
    RandomNumberGenerator& rng, u16bit work_factor = 10)
 
-   Takes the password to hash, a rng, and a work factor. Higher values
-   increase the amount of time the algorithm runs, increasing the cost
-   of cracking attempts. The resulting hash is returned as a string.
+   Takes the password to hash, a rng, and a work factor. Higher work
+   factors increase the amount of time the algorithm runs, increasing
+   the cost of cracking attempts. The increase is exponential, so a
+   work factor of 10 takes roughly twice as long as work factor 9.
+
+   The resulting password hash is returned as a string.
+
+   Work factor must be at least 4. The bcrypt format allows up to 31,
+   but Botan currently rejects all work factors greater than 18 since
+   even that work factor requires roughly 30 seconds of computation on
+   a fast machine.
 
 .. cpp:function:: bool check_bcrypt(const std::string& password, \
    const std::string& hash)
@@ -105,7 +115,9 @@ Passhash9
 ----------------------------------------
 
 Botan also provides a password hashing technique called passhash9, in
-``passhash9.h``, which is based on PBKDF2. Its outputs look like::
+``passhash9.h``, which is based on PBKDF2.
+
+Passhash9 hashes look like::
 
   "$9$AAAKxwMGNPSdPkOKJS07Xutm3+1Cr3ytmbnkjO6LjHzCMcMQXvcT"
 
@@ -113,6 +125,11 @@ This function should be secure with the proper parameters, and will remain in
 the library for the forseeable future, but it is specific to Botan rather than
 being a widely used password hash. Prefer bcrypt.
 
+.. warning::
+
+   This password format string ("$9$") conflicts with the format used
+   for scrypt password hashes on Cisco systems.
+
 .. cpp:function:: std::string generate_passhash9(const std::string& password, \
    RandomNumberGenerator& rng, u16bit work_factor = 10, byte alg_id = 1)
 
diff --git a/doc/security.rst b/doc/security.rst
index 2ab105efd..e6467f675 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -15,6 +15,17 @@ mail please use::
 This key can be found in the file ``doc/pgpkey.txt`` or online at
 https://keybase.io/jacklloyd and on most PGP keyservers.
 
+2017
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* 2017-03-23 (CVE-2016-7252): Incorrect bcrypt computation
+
+  Botan's implementation of bcrypt password hashing scheme truncated long
+  passwords at 56 characters, instead of at bcrypt's standard 72 characters
+  limit. Passwords with lengths between these two bounds could be cracked more
+  easily than should be the case due to the final password bytes being
+  ignored. Found and reported by Solar Designer.
+
 2016
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/news.rst b/news.rst
index 4cf206670..fc98e79d8 100644
--- a/news.rst
+++ b/news.rst
@@ -4,6 +4,10 @@ Release Notes
 Version 2.1.0, Not Yet Released
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+* Fix incorrect truncation in Bcrypt. Passwords in length between 56
+  and 72 characters were truncated at 56 characters. Found and
+  reported by Solar Designer. (CVE-2017-7252)
+
 * Support a 0-length IV in ChaCha stream cipher. Such an IV is treated
   identically to an 8-byte IV of all zeros.
 
diff --git a/src/lib/block/blowfish/blowfish.cpp b/src/lib/block/blowfish/blowfish.cpp
index 17ac00a1f..68d73cafd 100644
--- a/src/lib/block/blowfish/blowfish.cpp
+++ b/src/lib/block/blowfish/blowfish.cpp
@@ -291,27 +291,31 @@ void Blowfish::key_expansion(const uint8_t key[],
 void Blowfish::eks_key_schedule(const uint8_t key[], size_t length,
                                 const uint8_t salt[16], size_t workfactor)
    {
-   // Truncate longer passwords to the 56 byte limit Blowfish enforces
-   length = std::min<size_t>(length, 55);
-
-   if(workfactor == 0)
-      throw Invalid_Argument("Bcrypt work factor must be at least 1");
 
    /*
    * On a 2.8 GHz Core-i7, workfactor == 18 takes about 25 seconds to
    * hash a password. This seems like a reasonable upper bound for the
    * time being.
+   * Bcrypt allows up to work factor 31 (2^31 iterations)
    */
    if(workfactor > 18)
       throw Invalid_Argument("Requested Bcrypt work factor " +
-                                  std::to_string(workfactor) + " too large");
+                             std::to_string(workfactor) + " too large");
+
+   if(workfactor < 4)
+      throw Invalid_Argument("Bcrypt requires work factor at least 4");
+
+   if(length > 72)
+      {
+      // Truncate longer passwords to the 72 char bcrypt limit
+      length = 72;
+      }
 
    m_P.resize(18);
    copy_mem(m_P.data(), P_INIT, 18);
 
    m_S.resize(1024);
    copy_mem(m_S.data(), S_INIT, 1024);
-
    key_expansion(key, length, salt);
 
    const uint8_t null_salt[16] = { 0 };
diff --git a/src/tests/data/bcrypt.vec b/src/tests/data/bcrypt.vec
index c78ab970a..de0eefbd2 100644
--- a/src/tests/data/bcrypt.vec
+++ b/src/tests/data/bcrypt.vec
@@ -1,5 +1,4 @@
 
-
 # Generated by jBCrypt 0.3
 Password = 616263
 Passhash = $2a$05$DfPyLs.G6.To9fXEFgUL1O6HpYw3jIXgPcl/L3Qt3jESuWmhxtmpS
@@ -7,3 +6,274 @@ Passhash = $2a$05$DfPyLs.G6.To9fXEFgUL1O6HpYw3jIXgPcl/L3Qt3jESuWmhxtmpS
 # http://www.openwall.com/lists/john-dev/2011/06/19/2
 Password = A3
 Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq
+
+# Following values from http://download.openwall.net/pub/projects/crypt/bcrypt-tester-1.0.tar.gz
+Password = 
+Passhash = $2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy
+
+Password = 552A55
+Passhash = $2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW
+
+Password = 552A552A
+Passhash = $2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK
+
+Password = 552A552A55
+Passhash = $2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a
+
+Password = 303132333435363738396162636465666768696A6B6C6D6E6F707172737475767778797A4142434445464748494A4B4C4D4E4F505152535455565758595A303132333435363738396368617273206166746572203732206172652069676E6F726564
+Passhash = $2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui
+
+Password = A3
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq
+
+Password = FFFFA3
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e
+
+Password = FFA33334FFFFFFA3333435
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi
+
+Password = FFA3333435
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e
+
+Password = A36162
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS
+
+Password = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6368617273206166746572203732206172652069676E6F72656420617320757375616C
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6
+
+Password = AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55AA55
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.R9xrDjiycxMbQE2bp.vgqlYpW5wx2yy
+
+Password = 55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF55AAFF
+Passhash = $2a$05$/OK.fbVrR/bpIqNJ5ianF.9tQZzcJfm3uj2NvJ/n5xkhpqLrMpWCe
+
+# Test very long (> 256 char) password
+# Generated by https://www.dailycred.com/article/bcrypt-calculator
+Password = 4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595a4142434445464748494a4b4c4d4e4f505152535455565758595b
+Passhash = $2a$04$nP0HWhorPRGl309OF27N0Oluj0wfAKWClP9gDcqOU1D.VF4x6bHTi
+
+# Generated by OpenBSD's bcrypt code
+
+Password = 
+Passhash = $2a$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
+
+Password = 41
+Passhash = $2a$04$......................1ylfG1rzUcx/p4E2WWXbK1hNBjulV/e
+
+Password = 4142
+Passhash = $2a$04$......................eLmsldq6Kef4lNzfsH3GLn5XEr9/dky
+
+Password = 414243
+Passhash = $2a$04$......................SeoxjjNIHEA7B01Yt2Fq2YNSKittPem
+
+Password = 41424344
+Passhash = $2a$04$......................5UWApRNcV8gDN6km6KdMC7MJRnFLJLi
+
+Password = 4142434445
+Passhash = $2a$04$......................aqTIOQ1wy6xo2DKiG2jtVHuLfBC.Cte
+
+Password = 414243444546
+Passhash = $2a$04$......................3eUc6EVdIHLPSHsfENd73y1qHUgeET6
+
+Password = 41424344454647
+Passhash = $2a$04$......................FuV659LudNIL0yJfqrb.JB0ab1eCXCy
+
+Password = 4142434445464748
+Passhash = $2a$04$......................1WDT31a/PBuYi4hmam2gvmgA54t9HUO
+
+Password = 414243444546474849
+Passhash = $2a$04$......................aHMfyD101pOa19Avcj8wFk7x8JyP/Oi
+
+Password = 4142434445464748494A
+Passhash = $2a$04$......................MQooKLE8.P36GbWDUbrk2NT3PYZsXOG
+
+Password = 4142434445464748494A4B
+Passhash = $2a$04$......................eprYLc9vXOwDMCyqLAGvznMqJmzEEzu
+
+Password = 4142434445464748494A4B4C
+Passhash = $2a$04$......................wg1/merzamWae4FzZdzXVFCzeXcdRBe
+
+Password = 4142434445464748494A4B4C4D
+Passhash = $2a$04$......................F45.kWUMV0S88ts9G8w1ySdc0eL1QsO
+
+Password = 4142434445464748494A4B4C4D4E
+Passhash = $2a$04$......................b5f2SSP91ThKR9rHlejbqwpgGTKgEPW
+
+Password = 4142434445464748494A4B4C4D4E4F
+Passhash = $2a$04$......................GAUIFe599t9404.M92TX4qg.qlyozvu
+
+Password = 4142434445464748494A4B4C4D4E4F50
+Passhash = $2a$04$......................hGf/sBFCzxtt7aLth.CkSiqMLfMNkky
+
+Password = 4142434445464748494A4B4C4D4E4F5051
+Passhash = $2a$04$......................wxi.5vCbqbfYRB4Ptb9YMVEedkzkg2G
+
+Password = 4142434445464748494A4B4C4D4E4F505152
+Passhash = $2a$04$......................fEQhKOa7gmjs2X6pPxkAG4Ua1CK3/MG
+
+Password = 4142434445464748494A4B4C4D4E4F50515253
+Passhash = $2a$04$......................GeXtzTa.p8bAbpHdSzLDDvcT5z8rd2G
+
+Password = 4142434445464748494A4B4C4D4E4F5051525354
+Passhash = $2a$04$......................D.nuIHnFpRTTietbZXCpTqMLktmgvOG
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455
+Passhash = $2a$04$......................0rP0aIe6CiaXgLviO7CrReRMoq4Z76u
+
+Password = 4142434445464748494A4B4C4D4E4F50515253545556
+Passhash = $2a$04$......................2nuK3e9hYlR3ZpUulSwuH9XEFf/TwB.
+
+Password = 4142434445464748494A4B4C4D4E4F5051525354555657
+Passhash = $2a$04$......................pFb7ADMM2CyyVheTwTO4ljTOaAd.SO2
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758
+Passhash = $2a$04$......................Hb6CQJzZLi0jF2iRoWF/LytXl0UIlGi
+
+Password = 4142434445464748494A4B4C4D4E4F50515253545556575859
+Passhash = $2a$04$......................hDkGLLxi1xlzQ2l8yCVZW8STSQwY8ca
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A
+Passhash = $2a$04$......................rEzQdCIvx3710X.o8rPHje0DJNW7nby
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B
+Passhash = $2a$04$......................YRx250oXqZ8PAF9VCwDd3tMHvNG/EYS
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C
+Passhash = $2a$04$......................8VVYuFwpyz50KoSQSww6HtAcM.puvFK
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D
+Passhash = $2a$04$......................U/uWNlMQ1nCojM9KJYXst0H..Vr3K7e
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E
+Passhash = $2a$04$......................JKICUBStZDD90QJxUirvbW6XhMN3k0i
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+Passhash = $2a$04$......................XQ1Pz.WGSIGPbun4umJ/uKtAi5mImNK
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60
+Passhash = $2a$04$......................zK87xeHJykwKa7B3WqaREFx8LkTw7w.
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061
+Passhash = $2a$04$......................DRU9poimCmGTetm8ijeul2OZ7Ghgyn.
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162
+Passhash = $2a$04$......................cOoYOK6c366gK6BBmcYlCPqGGy7/Yce
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263
+Passhash = $2a$04$......................f31Ni98iYpbJzxJoqhWuxvB8PPUOc5G
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364
+Passhash = $2a$04$......................uZLqllZzmsIDcmdihrBslz0A.WJp5lC
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465
+Passhash = $2a$04$......................Mv6hK0wgc5CxkxPVhyit7DjpOLHCRme
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263646566
+Passhash = $2a$04$......................40cOEgw5sV8TKGjzB4JF.yiTJCBJGsq
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364656667
+Passhash = $2a$04$......................DR/BFDmrsl0CqGeCo5EYawLtrLL2PF6
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768
+Passhash = $2a$04$......................7VtgAnmfpC6qryaX7qsvlfCvk2ooW4S
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263646566676869
+Passhash = $2a$04$......................Eo0q.nfaVXn4NIfoyveRiLRKHSMDAHW
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A
+Passhash = $2a$04$......................kfxex5FfUJhJQYogm.8FloXjQjvcl..
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B
+Passhash = $2a$04$......................fmpuNlu0eW7fsRBEbIlZs/ZIP0a9Dby
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C
+Passhash = $2a$04$......................mI0Rbwk/yFUkA/TLKmMfSMu4KqSGzZq
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D
+Passhash = $2a$04$......................jqCcJxoUtwRpIFnCPZtrn2zpFY6tU6a
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E
+Passhash = $2a$04$......................FGzij2Dvl2qbVhtOfDhvGodD0BaH1zO
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
+Passhash = $2a$04$......................8gWGyOqSrT/N84xajt5y1cc7kdYTS1C
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70
+Passhash = $2a$04$......................n0uapt/O8ZGLLoTYi8RVz5gtLzcH9OG
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071
+Passhash = $2a$04$......................snIIPVZopm0TC4WLrpTNtW136us.66S
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172
+Passhash = $2a$04$......................xJlz/E02Am2/sxO97jDYuFkxKMCNPuC
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70717273
+Passhash = $2a$04$......................ci6b5BSX.Gt1z2O5on9.k9Po1q6nJMe
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071727374
+Passhash = $2a$04$......................JGYY7FRsBznRZJfr8gNUgmRIekndoEu
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475
+Passhash = $2a$04$......................c.8sucK9TMUPlwbux0u2EjoWeS7exm.
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70717273747576
+Passhash = $2a$04$......................2iQopzqprPYwjRJTAJnVPO00t8/HyT.
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071727374757677
+Passhash = $2a$04$......................COrfw5/Mj6Js8CePzOVuowO57dzDlXq
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778
+Passhash = $2a$04$......................M/SrGocfiSlHaOnFqqV0RGjlcuPM2xO
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F70717273747576777879
+Passhash = $2a$04$......................gPjyepv.g7qMZXDTwcEjfks0xFwQDsW
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A
+Passhash = $2a$04$......................YCdU1yffMxpqGnbkhm4j11QBUQzr6vW
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B
+Passhash = $2a$04$......................PFZW7x0F2WdDhhfr9IbRIJhaUrlT/4.
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C
+Passhash = $2a$04$......................2gd/Za4BdTci7v1rdamN0XZ5lk5PnuO
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D
+Passhash = $2a$04$......................fbhaW8SPcJjDFtC9ruTvwIZhbhoT6Ve
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E
+Passhash = $2a$04$......................yB12tMsxREReDqkSHzR6G890abKjKHi
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F
+Passhash = $2a$04$......................yyR3U//QnDydsWfSIZwCsrzXqwdED7e
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80
+Passhash = $2a$04$......................IWK3CyxBeu3hZXP./rSl1gS.CHOl51q
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
+Passhash = $2a$04$......................OrN52h3sUOH7u7aUFZLLPecPAC6pDUy
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182
+Passhash = $2a$04$......................7czL69h9T6Z84Yen8wrtzeNUPZIksLq
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80818283
+Passhash = $2a$04$......................hlFxmtvTDFEJ/W7ViRXVzIBmwELyxde
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081828384
+Passhash = $2a$04$......................wtpFiSjRvlfidwkUDR2EefHBYOStMyO
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485
+Passhash = $2a$04$......................fFhiRdC6u8ZnZNqxK5vIyMinSFC4HjG
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80818283848586
+Passhash = $2a$04$......................FCJRl4rapF1jLog3AjcYUtLupr62MHW
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081828384858687
+Passhash = $2a$04$......................qt4eTaEVpLnPbEit4noon6YMRxjO8kq
+
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788
+Passhash = $2a$04$....................../VvYrJip/blbJEy92Sih8t0k26f242.
+
+# This demonstrates truncation of passwords > 72 chars, identical to previous hash
+Password = 4142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80818283848586878889
+Passhash = $2a$04$....................../VvYrJip/blbJEy92Sih8t0k26f242.
+
diff --git a/src/tests/test_passhash.cpp b/src/tests/test_passhash.cpp
index 126b68780..05f53780a 100644
--- a/src/tests/test_passhash.cpp
+++ b/src/tests/test_passhash.cpp
@@ -36,9 +36,8 @@ class Bcrypt_Tests : public Text_Based_Test
          Test::Result result("bcrypt");
          result.test_eq("correct hash accepted", Botan::check_bcrypt(password, passhash), true);
 
-         const size_t max_level = (Test::run_long_tests() ? 14 : 11);
-
-         for(size_t level = 1; level <= max_level; ++level)
+         // self-test low levels for each test password
+         for(size_t level = 4; level <= 6; ++level)
             {
             const std::string gen_hash = generate_bcrypt(password, Test::rng(), level);
             result.test_eq("generated hash accepted", Botan::check_bcrypt(password, gen_hash), true);
@@ -46,6 +45,27 @@ class Bcrypt_Tests : public Text_Based_Test
 
          return result;
          }
+
+      std::vector<Test::Result> run_final_tests()
+         {
+         Test::Result result("bcrypt");
+
+         uint64_t start = Test::timestamp();
+
+         const std::string password = "ag00d1_2BE5ur3";
+
+         const size_t max_level = (Test::run_long_tests() ? 15 : 10);
+
+         for(size_t level = 4; level <= max_level; ++level)
+            {
+            const std::string gen_hash = generate_bcrypt(password, Test::rng(), level);
+            result.test_eq("generated hash accepted", Botan::check_bcrypt(password, gen_hash), true);
+            }
+
+         result.set_ns_consumed(Test::timestamp() - start);
+
+         return {result};
+         }
    };
 
 BOTAN_REGISTER_TEST("bcrypt", Bcrypt_Tests);