source: code/trunk/vendor/golang.org/x/crypto/bcrypt/bcrypt.go@ 822

// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
// algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
package bcrypt // import "golang.org/x/crypto/bcrypt"

// The code is a port of Provos and Mazières's C implementation.
import (
        "crypto/rand"
        "crypto/subtle"
        "errors"
        "fmt"
        "io"
        "strconv"

        "golang.org/x/crypto/blowfish"
)

const (
        MinCost     int = 4  // the minimum allowable cost as passed in to GenerateFromPassword
        MaxCost     int = 31 // the maximum allowable cost as passed in to GenerateFromPassword
        DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword
)

// The error returned from CompareHashAndPassword when a password and hash do
// not match.
var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password")

// The error returned from CompareHashAndPassword when a hash is too short to
// be a bcrypt hash.
var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password")

// The error returned from CompareHashAndPassword when a hash was created with
// a bcrypt algorithm newer than this implementation.
type HashVersionTooNewError byte

func (hv HashVersionTooNewError) Error() string {
        return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion)
}

// The error returned from CompareHashAndPassword when a hash starts with something other than '$'
type InvalidHashPrefixError byte

func (ih InvalidHashPrefixError) Error() string {
        return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih))
}

type InvalidCostError int

func (ic InvalidCostError) Error() string {
        return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), MinCost, MaxCost)
}

const (
        majorVersion       = '2'
        minorVersion       = 'a'
        maxSaltSize        = 16
        maxCryptedHashSize = 23
        encodedSaltSize    = 22
        encodedHashSize    = 31
        minHashSize        = 59
)

// magicCipherData is an IV for the 64 Blowfish encryption calls in
// bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes.
var magicCipherData = []byte{
        0x4f, 0x72, 0x70, 0x68,
        0x65, 0x61, 0x6e, 0x42,
        0x65, 0x68, 0x6f, 0x6c,
        0x64, 0x65, 0x72, 0x53,
        0x63, 0x72, 0x79, 0x44,
        0x6f, 0x75, 0x62, 0x74,
}

type hashed struct {
        hash  []byte
        salt  []byte
        cost  int // allowed range is MinCost to MaxCost
        major byte
        minor byte
}

// ErrPasswordTooLong is returned when the password passed to
// GenerateFromPassword is too long (i.e. > 72 bytes).
var ErrPasswordTooLong = errors.New("bcrypt: password length exceeds 72 bytes")

// GenerateFromPassword returns the bcrypt hash of the password at the given
// cost. If the cost given is less than MinCost, the cost will be set to
// DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
// to compare the returned hashed password with its cleartext version.
// GenerateFromPassword does not accept passwords longer than 72 bytes, which
// is the longest password bcrypt will operate on.
func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
        if len(password) > 72 {
                return nil, ErrPasswordTooLong
        }
        p, err := newFromPassword(password, cost)
        if err != nil {
                return nil, err
        }
        return p.Hash(), nil
}

// CompareHashAndPassword compares a bcrypt hashed password with its possible
// plaintext equivalent. Returns nil on success, or an error on failure.
func CompareHashAndPassword(hashedPassword, password []byte) error {
        p, err := newFromHash(hashedPassword)
        if err != nil {
                return err
        }

        otherHash, err := bcrypt(password, p.cost, p.salt)
        if err != nil {
                return err
        }

        otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor}
        if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 {
                return nil
        }

        return ErrMismatchedHashAndPassword
}

// Cost returns the hashing cost used to create the given hashed
// password. When, in the future, the hashing cost of a password system needs
// to be increased in order to adjust for greater computational power, this
// function allows one to establish which passwords need to be updated.
func Cost(hashedPassword []byte) (int, error) {
        p, err := newFromHash(hashedPassword)
        if err != nil {
                return 0, err
        }
        return p.cost, nil
}

func newFromPassword(password []byte, cost int) (*hashed, error) {
        if cost < MinCost {
                cost = DefaultCost
        }
        p := new(hashed)
        p.major = majorVersion
        p.minor = minorVersion

        err := checkCost(cost)
        if err != nil {
                return nil, err
        }
        p.cost = cost

        unencodedSalt := make([]byte, maxSaltSize)
        _, err = io.ReadFull(rand.Reader, unencodedSalt)
        if err != nil {
                return nil, err
        }

        p.salt = base64Encode(unencodedSalt)
        hash, err := bcrypt(password, p.cost, p.salt)
        if err != nil {
                return nil, err
        }
        p.hash = hash
        return p, err
}

func newFromHash(hashedSecret []byte) (*hashed, error) {
        if len(hashedSecret) < minHashSize {
                return nil, ErrHashTooShort
        }
        p := new(hashed)
        n, err := p.decodeVersion(hashedSecret)
        if err != nil {
                return nil, err
        }
        hashedSecret = hashedSecret[n:]
        n, err = p.decodeCost(hashedSecret)
        if err != nil {
                return nil, err
        }
        hashedSecret = hashedSecret[n:]

        // The "+2" is here because we'll have to append at most 2 '=' to the salt
        // when base64 decoding it in expensiveBlowfishSetup().
        p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2)
        copy(p.salt, hashedSecret[:encodedSaltSize])

        hashedSecret = hashedSecret[encodedSaltSize:]
        p.hash = make([]byte, len(hashedSecret))
        copy(p.hash, hashedSecret)

        return p, nil
}

func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) {
        cipherData := make([]byte, len(magicCipherData))
        copy(cipherData, magicCipherData)

        c, err := expensiveBlowfishSetup(password, uint32(cost), salt)
        if err != nil {
                return nil, err
        }

        for i := 0; i < 24; i += 8 {
                for j := 0; j < 64; j++ {
                        c.Encrypt(cipherData[i:i+8], cipherData[i:i+8])
                }
        }

        // Bug compatibility with C bcrypt implementations. We only encode 23 of
        // the 24 bytes encrypted.
        hsh := base64Encode(cipherData[:maxCryptedHashSize])
        return hsh, nil
}

func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) {
        csalt, err := base64Decode(salt)
        if err != nil {
                return nil, err
        }

        // Bug compatibility with C bcrypt implementations. They use the trailing
        // NULL in the key string during expansion.
        // We copy the key to prevent changing the underlying array.
        ckey := append(key[:len(key):len(key)], 0)

        c, err := blowfish.NewSaltedCipher(ckey, csalt)
        if err != nil {
                return nil, err
        }

        var i, rounds uint64
        rounds = 1 << cost
        for i = 0; i < rounds; i++ {
                blowfish.ExpandKey(ckey, c)
                blowfish.ExpandKey(csalt, c)
        }

        return c, nil
}

func (p *hashed) Hash() []byte {
        arr := make([]byte, 60)
        arr[0] = '$'
        arr[1] = p.major
        n := 2
        if p.minor != 0 {
                arr[2] = p.minor
                n = 3
        }
        arr[n] = '$'
        n++
        copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost)))
        n += 2
        arr[n] = '$'
        n++
        copy(arr[n:], p.salt)
        n += encodedSaltSize
        copy(arr[n:], p.hash)
        n += encodedHashSize
        return arr[:n]
}

func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
        if sbytes[0] != '$' {
                return -1, InvalidHashPrefixError(sbytes[0])
        }
        if sbytes[1] > majorVersion {
                return -1, HashVersionTooNewError(sbytes[1])
        }
        p.major = sbytes[1]
        n := 3
        if sbytes[2] != '$' {
                p.minor = sbytes[2]
                n++
        }
        return n, nil
}

// sbytes should begin where decodeVersion left off.
func (p *hashed) decodeCost(sbytes []byte) (int, error) {
        cost, err := strconv.Atoi(string(sbytes[0:2]))
        if err != nil {
                return -1, err
        }
        err = checkCost(cost)
        if err != nil {
                return -1, err
        }
        p.cost = cost
        return 3, nil
}

func (p *hashed) String() string {
        return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor)
}

func checkCost(cost int) error {
        if cost < MinCost || cost > MaxCost {
                return InvalidCostError(cost)
        }
        return nil
}