int store_password(char *password, FILE *output) {
if (NULL != output) {
char salt[BCRYPT_HASHSIZE];
char hash[BCRYPT_HASHSIZE];
bcrypt_gensalt(12, salt);
bcrypt_hashpw(password, salt, hash);
output_to_stream(hash, output);
// unsigned char hash[crypto_hash_BYTES];
// // Invoke NaCl hash function (based on sha512) to hash the pw securely
// crypto_hash(hash, (unsigned char *) password, strlen(password));
//
// // Determine how long the hashed version is
// // and how long the base 64 version will be
// size_t hash_length = strlen((char *) hash);
// int encoded_length = Base64encode_len(hash_length);
//
// // Allocate a buffer large enough for the Base 64 version of the hash
// char *encoded_hash = (char *) calloc(encoded_length, sizeof(char));
// Base64encode(encoded_hash, (char *) hash, hash_length);
//
// output_to_stream(encoded_hash, output);
return 0;
}
return 1;
}
int main()
{
clock_t before;
clock_t after;
char salt[BCRYPT_HASHSIZE];
char hash[BCRYPT_HASHSIZE];
const char pass[] = "hi,mom";
const char hash1[] = "$2a$10$VEVmGHy4F4XQMJ3eOZJAUeb.MedU0W10pTPCuf53eHdKJPiSE8sMK";
const char hash2[] = "$2a$10$3F0BVk5t8/aoS.3ddaB3l.fxg5qvafQ9NybxcpXLzMeAt.nVWn.NO";
assert(bcrypt_gensalt(12, salt) == 0);
printf("Generated salt: %s\n", salt);
before = clock();
assert(bcrypt_hashpw("testtesttest", salt, hash) == 0);
after = clock();
printf("Hashed password: %s\n", hash);
printf("Time taken: %f seconds\n",
(float)(after - before) / CLOCKS_PER_SEC);
assert(bcrypt_hashpw(pass, hash1, hash) == 0);
printf("First hash check: %s\n", (strcmp(hash1, hash) == 0)?"OK":"FAIL");
assert(bcrypt_hashpw(pass, hash2, hash) == 0);
printf("Second hash check: %s\n", (strcmp(hash2, hash) == 0)?"OK":"FAIL");
return 0;
}
int
gen_salt(char *salt, size_t saltlen)
{
/* 6 is a rounds value like from localcipher option of login.conf */
strlcpy(salt, bcrypt_gensalt(6), saltlen);
return 1;
}
static void bcrypt_hash(const char *password, int cost, char* hash)
{
char salt[16];
if(!RAND_bytes(salt, 16))
; //we've got a problem
char* gen = bcrypt_gensalt("$2y$", cost, salt, 16);
strcpy(hash, bcrypt(password, gen));
}
// bcrypt.salt( logRounds )
static int luabcrypt_salt( lua_State *L )
{
u_int8_t log_rounds = luaL_checkinteger( L, 1 );
// because the OpenBSD implementation says so
char salt[ 7 + ( BCRYPT_MAXSALT * 4 + 2 ) / 3 + 1 ];
bcrypt_gensalt( log_rounds, salt );
lua_pushstring( L, salt );
return 1;
}
void
print_passwd(char *string, int operation, void *extra)
{
char msalt[3], *salt, *cryptstr;
login_cap_t *lc;
int pwd_gensalt(char *, int, login_cap_t *, char);
void to64(char *, u_int32_t, int n);
switch(operation) {
case DO_MAKEKEY:
/*
* makekey mode: parse string into separate DES key and salt.
*/
if (strlen(string) != 10) {
/* To be compatible... */
errx(1, "%s", strerror(EFTYPE));
}
strlcpy(msalt, &string[8], sizeof msalt);
salt = msalt;
break;
case DO_MD5:
strlcpy(buffer, "$1$", sizeof buffer);
to64(&buffer[3], arc4random(), 4);
to64(&buffer[7], arc4random(), 4);
strlcpy(buffer + 11, "$", sizeof buffer - 11);
salt = buffer;
break;
case DO_BLF:
strlcpy(buffer, bcrypt_gensalt(*(int *)extra), _PASSWORD_LEN);
salt = buffer;
break;
case DO_DES:
salt = extra;
break;
default:
if ((lc = login_getclass(extra)) == NULL)
errx(1, "unable to get login class `%s'",
extra ? (char *)extra : "default");
if (!pwd_gensalt(buffer, _PASSWORD_LEN, lc, 'l'))
errx(1, "can't generate salt");
salt = buffer;
break;
}
if ((cryptstr = crypt(string, salt)) == NULL)
errx(1, "crypt failed");
fputs(cryptstr, stdout);
}
static int bcrypt_encrypt(
const struct berval *scheme,
const struct berval *passwd,
struct berval *msg,
const char **text)
{
char salt[BCRYPT_HASHSIZE] = {0};
char hash[BCRYPT_HASHSIZE] = {0};
int rc;
int i = 0;
rc = bcrypt_gensalt(BCRYPT_ITERATION, salt);
#ifdef SLAPD_BCRYPT_DEBUG
printf("DEBUG bcrypt_encrypt()\n");
if(rc != 0) {
printf("bcrypt_gensalt error %d\n", rc);
} else {
printf("bcrypt_gensalt OK %d\n", rc);
}
printf("Salt: ");
for(; i < BCRYPT_HASHSIZE; i++) {
printf("%c", salt[i]);
}
printf("\n");
#endif
if(rc != 0) return LUTIL_PASSWD_ERR;
rc = bcrypt_hashpw(passwd->bv_val, salt, hash);
#ifdef SLAPD_BCRYPT_DEBUG
if(rc != 0) {
printf("bcrypt_hashpw error %d\n", rc);
} else {
printf("bcrypt_hashpw OK %d\n", rc);
}
#endif
if(rc != 0) return LUTIL_PASSWD_ERR;
msg->bv_len = asprintf(&msg->bv_val, "%s%s", scheme->bv_val, hash);
#ifdef SLAPD_BCRYPT_DEBUG
printf("bcrypt_encrypt() result: ");
printf("%s%s\n", scheme->bv_val, hash);
#endif
if(msg->bv_len < 0){
return LUTIL_PASSWD_ERR;
}
return LUTIL_PASSWD_OK;
}
/*ARGSUSED2*/
char *
crypt_gensalt_impl(char *gsbuffer,
size_t gsbufflen,
const char *oldsalt,
const struct passwd *userinfo,
const char **params)
{
int logr = 4; /* Default from pwd_gensalt.c on OpenBSD */
if (params != NULL) {
logr = atoi(params[0]);
}
(void) strlcpy(gsbuffer, bcrypt_gensalt(logr), gsbufflen);
return (gsbuffer);
}
void textadventure::bcrypt::generateSalt(
uvpp::Loop& loop,
int workfactor,
std::function<void (std::string)> callback
) {
loop.doWork(
[workfactor]() {
auto salt = new char[BCRYPT_HASHSIZE];
bcrypt_gensalt(workfactor, salt);
auto str = new std::string(salt);
delete salt;
return str;
},
[callback](void* result) {
auto str = std::unique_ptr<std::string>(
reinterpret_cast<std::string*>(result)
);
callback(*str);
}
);
}
CSString CBCrypt::HashBCrypt(const char* password, int iPrefixCode, int iCost) // static
{
char salt[BCRYPT_HASHSIZE];
char hash[BCRYPT_HASHSIZE];
const char *pcPrefix;
switch (iPrefixCode)
{
default:
case 0: pcPrefix = "$2a$"; break;
case 1: pcPrefix = "$2b$"; break;
case 2: pcPrefix = "$2y$"; break;
case 3: pcPrefix = "$1$"; break;
case 4: pcPrefix = "_"; break;
}
if (bcrypt_gensalt(pcPrefix, iCost, salt) != 0)
return CSString();
if (bcrypt_hashpw(password, salt, hash) != 0)
return CSString();
return CSString(hash);
}
int main(int argc, char *argv[])
{
char salt[BCRYPT_HASHSIZE];
char hash[BCRYPT_HASHSIZE];
int log_rounds = 12;
if (argc != 2 && argc != 3)
{
fprintf(stderr, "usage: %s <plaintext> [<rounds>|<hash>]\n", argv[0]);
exit(EXIT_FAILURE);
}
if (argc == 2 || sscanf(argv[2], "%d", &log_rounds) == 1)
{
bcrypt_gensalt(log_rounds, salt);
bcrypt_hashpw(argv[1], salt, hash);
printf("%s\n", hash);
}
else
{
bcrypt_hashpw(argv[1], argv[2], hash);
printf("Expected: %s\n", argv[2]);
printf(" Actual: %s\n", hash);
if (strcmp(argv[2], hash) == 0)
{
printf("The password matches\n");
}
else
{
printf("The password does NOT match\n");
}
}
return 0;
}
/* Given a logarithmic cost parameter, generates a salt for use with +bc_crypt+.
*/
static VALUE bc_salt(VALUE self, VALUE cost, VALUE seed) {
return rb_str_new2((char *)bcrypt_gensalt(NUM2INT(cost), (u_int8_t *)RSTRING_PTR(seed)));
}
int
main(int argc, char** argv)
{
char salt[_PASSWORD_LEN], tmpl[sizeof("/tmp/htpasswd-XXXXXXXXXX")];
char hash[_PASSWORD_LEN], pass[1024], pass2[1024];
char *line = NULL, *login = NULL, *tok;
int c, fd, loginlen, batch = 0;
FILE *in = NULL, *out = NULL;
const char *file = NULL;
size_t linesize = 0;
ssize_t linelen;
mode_t old_umask;
#ifdef __OpenBSD__
if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
err(1, "pledge");
#endif
while ((c = getopt(argc, argv, "I")) != -1) {
switch (c) {
case 'I':
batch = 1;
break;
default:
usage();
/* NOT REACHED */
break;
}
}
argc -= optind;
argv += optind;
if (batch) {
if (argc == 1)
file = argv[0];
else if (argc > 1)
usage();
#ifdef __OpenBSD__
else if (pledge("stdio", NULL) == -1)
err(1, "pledge");
#endif
if ((linelen = getline(&line, &linesize, stdin)) == -1)
err(1, "cannot read login:password from stdin");
line[linelen-1] = '\0';
if ((tok = strstr(line, ":")) == NULL)
errx(1, "cannot find ':' in input");
*tok++ = '\0';
if ((loginlen = asprintf(&login, "%s:", line)) == -1)
err(1, "asprintf");
if (strlcpy(pass, tok, sizeof(pass)) >= sizeof(pass))
errx(1, "password too long");
} else {
switch (argc) {
case 1:
#ifdef __OpenBSD__
if (pledge("stdio tty", NULL) == -1)
err(1, "pledge");
#endif
if ((loginlen = asprintf(&login, "%s:", argv[0])) == -1)
err(1, "asprintf");
break;
case 2:
file = argv[0];
if ((loginlen = asprintf(&login, "%s:", argv[1])) == -1)
err(1, "asprintf");
break;
default:
usage();
/* NOT REACHED */
break;
}
if (!readpassphrase("Password: "******"unable to read password");
if (!readpassphrase("Retype Password: "******"unable to read password");
}
if (strcmp(pass, pass2) != 0) {
explicit_bzero(pass, sizeof(pass));
explicit_bzero(pass2, sizeof(pass2));
errx(1, "passwords don't match");
}
explicit_bzero(pass2, sizeof(pass2));
}
if (strlcpy(salt, bcrypt_gensalt(8), sizeof(salt)) >= sizeof(salt))
errx(1, "salt too long");
if (strlcpy(hash, bcrypt(pass, salt), sizeof(hash)) >= sizeof(hash))
errx(1, "hash too long");
explicit_bzero(pass, sizeof(pass));
if (file == NULL)
printf("%s%s\n", login, hash);
else {
if ((in = fopen(file, "r+")) == NULL) {
if (errno == ENOENT) {
old_umask = umask(S_IXUSR|
S_IWGRP|S_IRGRP|S_IXGRP|
S_IWOTH|S_IROTH|S_IXOTH);
if ((out = fopen(file, "w")) == NULL)
err(1, "cannot open password file for"
" reading or writing");
umask(old_umask);
} else
err(1, "cannot open password file for"
" reading or writing");
} else
if (flock(fileno(in), LOCK_EX|LOCK_NB) == -1)
errx(1, "cannot lock password file");
/* file already exits, copy content and filter login out */
if (out == NULL) {
strlcpy(tmpl, "/tmp/htpasswd-XXXXXXXXXX", sizeof(tmpl));
if ((fd = mkstemp(tmpl)) == -1)
err(1, "mkstemp");
if ((out = fdopen(fd, "w+")) == NULL)
err(1, "cannot open tempfile");
while ((linelen = getline(&line, &linesize, in))
!= -1) {
if (strncmp(line, login, loginlen) != 0) {
if (fprintf(out, "%s", line) == -1)
errx(1, "cannot write to temp "
"file");
nag(line);
}
}
}
if (fprintf(out, "%s%s\n", login, hash) == -1)
errx(1, "cannot write new password hash");
/* file already exists, overwrite it */
if (in != NULL) {
if (fseek(in, 0, SEEK_SET) == -1)
err(1, "cannot seek in password file");
if (fseek(out, 0, SEEK_SET) == -1)
err(1, "cannot seek in temp file");
if (ftruncate(fileno(in), 0) == -1)
err(1, "cannot truncate password file");
while ((linelen = getline(&line, &linesize, out))
!= -1)
if (fprintf(in, "%s", line) == -1)
errx(1, "cannot write to password "
"file");
if (fclose(in) == EOF)
err(1, "cannot close password file");
}
if (fclose(out) == EOF) {
if (in != NULL)
err(1, "cannot close temp file");
else
err(1, "cannot close password file");
}
if (in != NULL && unlink(tmpl) == -1)
err(1, "cannot delete temp file (%s)", tmpl);
}
if (nagcount >= MAXNAG)
warnx("%d more logins not using bcryt.", nagcount - MAXNAG);
exit(0);
}
int
pwd_gensalt(char *salt, int saltlen, login_cap_t *lc, char type)
{
char *next, *now, *oldnext;
*salt = '\0';
switch (type) {
case 'y':
next = login_getcapstr(lc, "ypcipher", NULL, NULL);
if (next == NULL && (next = strdup(YPCIPHER_DEF)) == NULL) {
warn(NULL);
return 0;
}
break;
case 'l':
default:
next = login_getcapstr(lc, "localcipher", NULL, NULL);
if (next == NULL && (next = strdup(LOCALCIPHER_DEF)) == NULL) {
warn(NULL);
return 0;
}
break;
}
oldnext = next;
now = strsep(&next, ",");
if (!strcmp(now, "old")) {
if (saltlen < 3) {
free(oldnext);
return 0;
}
to64(&salt[0], arc4random(), 2);
salt[2] = '\0';
} else if (!strcmp(now, "newsalt")) {
u_int32_t rounds = 7250;
if (next)
rounds = atol(next);
if (saltlen < 10) {
free(oldnext);
return 0;
}
/* Check rounds, 24 bit is max */
if (rounds < 7250)
rounds = 7250;
else if (rounds > 0xffffff)
rounds = 0xffffff;
salt[0] = _PASSWORD_EFMT1;
to64(&salt[1], (u_int32_t)rounds, 4);
to64(&salt[5], arc4random(), 4);
salt[9] = '\0';
} else if (!strcmp(now, "md5")) {
if (saltlen < 13) { /* $1$8salt$\0 */
free(oldnext);
return 0;
}
strlcpy(salt, "$1$", saltlen);
to64(&salt[3], arc4random(), 4);
to64(&salt[7], arc4random(), 4);
strlcpy(&salt[11], "$", saltlen - 11);
} else if (!strcmp(now, "blowfish")) {
int rounds = 6;
if (next)
rounds = atoi(next);
if (rounds < 4)
rounds = 4;
if (rounds > 31)
rounds = 31;
strlcpy(salt, bcrypt_gensalt(rounds), saltlen);
} else {
warnx("Unknown option %s.", now);
free(oldnext);
return 0;
}
free(oldnext);
return 1;
}
