crypto.bcrypt: fix bcrypt failure for valid pass and hash (fix #19558) (#19569)

vlib/crypto/bcrypt/base64.v

@@ -0,0 +1,97 @@
+module bcrypt
+
+const alphabet = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+
+fn char64(c u8) u8 {
+	for i, ch in bcrypt.alphabet {
+		if ch == c {
+			return u8(i)
+		}
+	}
+	return 255
+}
+
+fn base64_decode(data string) []u8 {
+	mut dest_index := 0
+	mut result := []u8{}
+	for src_index := 0; src_index < data.len - 1; src_index += 4 {
+		c1 := char64(data[src_index])
+
+		if src_index + 1 >= data.len {
+			break
+		}
+
+		c2 := char64(data[src_index + 1])
+
+		// Invalid data */
+		if c1 == 255 || c2 == 255 {
+			break
+		}
+
+		result << ((c1 << 2) | ((c2 & 0x30) >> 4))
+		dest_index += 1
+
+		if src_index + 2 >= data.len || dest_index == 16 {
+			break
+		}
+
+		c3 := char64(data[src_index + 2])
+		if c3 == 255 {
+			break
+		}
+
+		result << (((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2))
+		dest_index += 1
+
+		if src_index + 3 >= data.len || dest_index == 16 {
+			break
+		}
+
+		c4 := char64(data[src_index + 3])
+		if c4 == 255 {
+			break
+		}
+
+		result << (((c3 & 0x03) << 6) | c4)
+		dest_index += 1
+
+		if dest_index == 16 {
+			break
+		}
+	}
+
+	return result
+}
+
+fn base64_encode(data []u8) string {
+	mut src_index := 0
+	mut result := []u8{}
+	for src_index < data.len {
+		mut c1 := data[src_index]
+		src_index += 1
+		result << bcrypt.alphabet[c1 >> 2]
+		c1 = (c1 & 0x03) << 4
+		if src_index >= data.len {
+			result << bcrypt.alphabet[c1]
+			break
+		}
+
+		mut c2 := data[src_index]
+		src_index += 1
+		c1 |= (c2 >> 4) & 0x0f
+		result << bcrypt.alphabet[c1]
+		c1 = (c2 & 0x0f) << 2
+		if src_index >= data.len {
+			result << bcrypt.alphabet[c1]
+			break
+		}
+
+		c2 = data[src_index]
+		src_index += 1
+		c1 |= (c2 >> 6) & 0x03
+		result << bcrypt.alphabet[c1]
+		result << bcrypt.alphabet[c2 & 0x3f]
+	}
+
+	return result.bytestr()
+}

vlib/crypto/bcrypt/bcrypt.v

@@ -1,6 +1,5 @@
 module bcrypt
 
-import encoding.base64
 import crypto.rand
 import crypto.blowfish
 
@@ -55,7 +54,6 @@ pub fn compare_hash_and_password(password []u8, hashed_password []u8) ! {
 	p.salt << `=`
 	p.salt << `=`
 	other_hash := bcrypt(password, p.cost, p.salt) or { return error('err') }
-
 	mut other_p := Hashed{
 		hash: other_hash
 		salt: p.salt
@@ -91,7 +89,7 @@ fn new_from_password(password []u8, cost int) !&Hashed {
 	p.cost = cost_
 
 	salt := generate_salt().bytes()
-	p.salt = base64.encode(salt).bytes()
+	p.salt = base64_encode(salt).bytes()
 	hash := bcrypt(password, p.cost, p.salt) or { return err }
 	p.hash = hash
 	return p
@@ -119,9 +117,7 @@ fn new_from_hash(hashed_secret []u8) !&Hashed {
 
 // bcrypt hashing passwords.
 fn bcrypt(password []u8, cost int, salt []u8) ![]u8 {
-	mut cipher_data := []u8{len: 72 - bcrypt.magic_cipher_data.len, init: 0}
-	cipher_data << bcrypt.magic_cipher_data
-
+	mut cipher_data := bcrypt.magic_cipher_data.clone()
 	mut bf := expensive_blowfish_setup(password, u32(cost), salt) or { return err }
 
 	for i := 0; i < 24; i += 8 {
@@ -129,14 +125,13 @@ fn bcrypt(password []u8, cost int, salt []u8) ![]u8 {
 			bf.encrypt(mut cipher_data[i..i + 8], cipher_data[i..i + 8])
 		}
 	}
-
-	hash := base64.encode(cipher_data[..bcrypt.max_crypted_hash_size])
+	hash := base64_encode(cipher_data[..bcrypt.max_crypted_hash_size])
 	return hash.bytes()
 }
 
 // expensive_blowfish_setup generate a Blowfish cipher, given key, cost and salt.
 fn expensive_blowfish_setup(key []u8, cost u32, salt []u8) !&blowfish.Blowfish {
-	csalt := base64.decode(salt.bytestr())
+	csalt := base64_decode(salt.bytestr())
 	// Bug compatibility with C bcrypt implementations, which use the trailing NULL in the key string during expansion.
 	// See https://cs.opensource.google/go/x/crypto/+/master:bcrypt/bcrypt.go;l=226
 	mut ckey := key.clone()

vlib/crypto/bcrypt/bcrypt_test.v

@@ -1,6 +1,10 @@
 import crypto.bcrypt
 
 fn test_crypto_bcrypt() {
+	bcrypt.compare_hash_and_password('123456'.bytes(), '$2y$13$7j2kgHgrEiI9kYmiXZuiyu3IJFWXEH.sZN6ai82XNCd9SZ7UwdlTW'.bytes()) or {
+		panic(err)
+	}
+
 	hash := bcrypt.generate_from_password('password'.bytes(), 10) or { panic(err) }
 
 	bcrypt.compare_hash_and_password('password'.bytes(), hash.bytes()) or { panic(err) }

vlib/crypto/blowfish/block.v

@@ -52,33 +52,33 @@ pub fn expand_key_with_salt(key []u8, salt []u8, mut bf Blowfish) {
 	mut l := u32(0)
 	mut r := u32(0)
 	for i := 0; i < 18; i += 2 {
-		l ^= get_next_word(key, &j)
-		r ^= get_next_word(key, &j)
+		l ^= get_next_word(salt, &j)
+		r ^= get_next_word(salt, &j)
 		l, r = setup_tables(l, r, mut bf)
 		bf.p[i], bf.p[i + 1] = l, r
 	}
 
 	for i := 0; i < 256; i += 2 {
-		l ^= get_next_word(key, &j)
-		r ^= get_next_word(key, &j)
+		l ^= get_next_word(salt, &j)
+		r ^= get_next_word(salt, &j)
 		l, r = setup_tables(l, r, mut bf)
 		bf.s[0][i], bf.s[0][i + 1] = l, r
 	}
 	for i := 0; i < 256; i += 2 {
-		l ^= get_next_word(key, &j)
-		r ^= get_next_word(key, &j)
+		l ^= get_next_word(salt, &j)
+		r ^= get_next_word(salt, &j)
 		l, r = setup_tables(l, r, mut bf)
 		bf.s[1][i], bf.s[1][i + 1] = l, r
 	}
 	for i := 0; i < 256; i += 2 {
-		l ^= get_next_word(key, &j)
-		r ^= get_next_word(key, &j)
+		l ^= get_next_word(salt, &j)
+		r ^= get_next_word(salt, &j)
 		l, r = setup_tables(l, r, mut bf)
 		bf.s[2][i], bf.s[2][i + 1] = l, r
 	}
 	for i := 0; i < 256; i += 2 {
-		l ^= get_next_word(key, &j)
-		r ^= get_next_word(key, &j)
+		l ^= get_next_word(salt, &j)
+		r ^= get_next_word(salt, &j)
 		l, r = setup_tables(l, r, mut bf)
 		bf.s[3][i], bf.s[3][i + 1] = l, r
 	}