Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Crypt::Eksblowfish::Bcrypt doesnt support 2y?

by dallase (Initiate)
on Dec 15, 2014 at 19:35 UTC ( #1110400=perlquestion: print w/replies, xml ) Need Help??

dallase has asked for the wisdom of the Perl Monks concerning the following question:

The laravel framework (php) creates user passwords in the following bcrypt format

$2y$10$(salt)(hash)

I'm trying to write a program in perl that can validate the laravel password that is stored in the database, but it doesnt appear Crypt::Eksblowfish::Bcrypt supports the '2y' bcrypt format. While '2a' works just fine.

$ perl bcrypt_2a Plain password is bcrypt as $2a$10$q4VIJI0lTJBh4O6Kfo/f/uwvN4CQWPbFutc +8hO8bKmn3Rz6qV4xcS Valid Password password
$ perl bcrypt_2y bad bcrypt settings at bcrypt_2y line 22
The files bcrypt_2a and bcrypt_2y are below in case anyone has any great idea here!
===========================
#!/usr/bin/perl # File: bcrypt_2a use Crypt::Eksblowfish::Bcrypt; use Crypt::Random; $password = 'password'; $encrypted = encrypt_password($password); print "Plain $password is bcrypt as $encrypted\n"; if (check_password($password, $encrypted)) { print "Valid Password $password\n" } sub encrypt_password { my $password = shift; my $salt = shift || salt(); my $settings = '$2a$10$'.$salt; return Crypt::Eksblowfish::Bcrypt::bcrypt($password, $settings); } sub check_password { my ($plain_password, $hashed_password) = @_; # Regex to extract the salt if ($hashed_password =~ m!^\$2a\$10\$([A-Za-z0-9+\\\.\/]{22})!) { # Use a letter by letter match rather than a complete string match + to avoid timing attacks my $match = encrypt_password($plain_password, $1); my $bad = 0; for (my $n=0; $n < length $match; $n++) { $bad++ if substr($match, $n, 1) ne substr($hashed_password, $n, +1); } return $bad == 0; } else { return 0; } } # Return a random salt sub salt { return Crypt::Eksblowfish::Bcrypt::en_base64(Crypt::Random::makerand +om_octet(Length=>16)); }

===========================
#!/usr/bin/perl # File: bcrypt_2y use Crypt::Eksblowfish::Bcrypt; use Crypt::Random; $password = 'password'; $encrypted = encrypt_password($password); # from another program, a bcrypt 2y of 'password' = '$2y$10$iG2fZoSKzW +UVn65cMDGL0uG8sWvy0G0G2Z/1Fll7zcBvEIOvn8qLG'; print "Plain $password is bcrypt as $encrypted\n"; if (check_password($password, $encrypted)) { print "Valid Password $password\n" } sub encrypt_password { my $password = shift; my $salt = shift || salt(); my $settings = '$2y$10$'.$salt; return Crypt::Eksblowfish::Bcrypt::bcrypt($password, $settings); } sub check_password { my ($plain_password, $hashed_password) = @_; # Regex to extract the salt if ($hashed_password =~ m!^\$2y\$10\$([A-Za-z0-9+\\\.\/]{22})!) { # Use a letter by letter match rather than a complete string match + to avoid timing attacks my $match = encrypt_password($plain_password, $1); my $bad = 0; for (my $n=0; $n < length $match; $n++) { $bad++ if substr($match, $n, 1) ne substr($hashed_password, $n, +1); } return $bad == 0; } else { return 0; } } # Return a random salt sub salt { return Crypt::Eksblowfish::Bcrypt::en_base64(Crypt::Random::makerand +om_octet(Length=>16)); }

Replies are listed 'Best First'.
Re: Crypt::Eksblowfish::Bcrypt doesnt support 2y?
by Anonymous Monk on Dec 15, 2014 at 20:50 UTC
    Isn't 2y just a fix of a crypt_blowfish's bug? Just use 2a. Crypt::Eskblowfish never had this bug, IIRC.
      UPDATED:
      I edited Bcrypt.pm as below, and I can confirm this allows me to verify $2a$ or $2y$ bcrypt passwords.
      =================
      # diff -Naur /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-mult +i/Crypt/Eksblowfish/Bcrypt.pm.orig /usr/lib64/perl5/site_perl/5.8.8/x +86_64-linux-thread-multi/Crypt/Eksblowfish/Bcrypt.pm --- /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/Crypt/E +ksblowfish/Bcrypt.pm.orig 2014-12-16 05:50:54.000000000 +0000 +++ /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/Crypt/E +ksblowfish/Bcrypt.pm 2014-12-16 05:23:46.000000000 +0000 @@ -153,7 +153,7 @@ sub bcrypt($$) { my($password, $settings) = @_; croak "bad bcrypt settings" - unless $settings =~ m#\A\$2(a?)\$([0-9]{2})\$ + unless $settings =~ m#\A\$2([ay]?)\$([0-9]{2})\$ ([./A-Za-z0-9]{22})#x; my($key_nul, $cost, $salt_base64) = ($1, $2, $3); my $hash = bcrypt_hash({

      =============

      So assuming I pull a $2y$10$ hashed password from the database, I can just s/^\$2y\$/\$2a\$/ and verify it using Crypt::Eksblowfish::Bcrypt, is that I'm hearing?

      If that is the case, I support I can hack up the module itself and allow $2a or $2y without throwing an error.

        dallase, thx for solving the same problem here after an upgrade of Moodle.

Re: Crypt::Eksblowfish::Bcrypt doesnt support 2y?
by Mr. Muskrat (Canon) on Dec 16, 2014 at 18:30 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1110400]
Approved by Old_Gray_Bear
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (6)
As of 2021-11-28 23:16 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?