SA-MP Forums

Go Back   SA-MP Forums > SA-MP Scripting and Plugins > Plugin Development

Reply
 
Thread Tools Display Modes
Old 25/07/2013, 12:59 PM   #1
Johnson_boy
Huge Clucker
 
Join Date: Mar 2011
Location: Finland
Posts: 220
Reputation: 78
Default Bcrypt (Password hash)

Bcrypt for SA-MP

Latest release: v2.2.3 (2014-11-24)


Downloads
Source code
Wiki
Change log

Introduction

Bcrypt is a hash function designed particularly for passwords, which implements an
automatic salt on all passwords, and allows the work factor to be changed as the computers
become more powerful.

Bcrypt is widely recommended, and often considered as the most secure method for hashing passwords. Source

Benefits
  • All passwords are automatically salted.

  • Bcrypt is slow, which makes offline bruteforce attacks very hard (depends on the work factor).

  • The work factor can be increased as the computers become more powerful.

  • The plugin is multi threaded, so the impact on server performance is negligible.

  • Compatible with PHP's password_verify() and password_hash() functions.

Usage
  • Copy the plugin file and the include file to their appropriate directories

  • Include the .inc file in your filterscript or gamemode (#include <bcrypt>)

  • Call function bcrypt_check when you would like to verify whether or not user input matches a given
    hash (e.g. on login). Once the verification is done, the defined callback will be called, and the
    result can be acquired by calling function bcrypt_is_equal() in the callback.

  • If you ever change the cost, you may use bcrypt_needs_rehash function to check if the hash in the
    database should be updated. The function returns true if the hash should be rehashes, and false if the
    hash is up-to-date.

Functions
Hash

Function bcrypt_get_hash returns the result from bcrypt_hash, which is a 61-character-long string
(60 + null terminator), which is also defined as constant BCRYPT_HASH_LENGTH.

Below is the output for hashing "Hello World!" three times. The hash is completely unique every time,
because a random salt is used when calculating the hash every time.
Code:
1. $2y$12$33T1WbJGYD9YVKpBShTDsOOlS3248tApLCndjz28n0cyWZR1HYXy6
2. $2y$12$ExnQyld7o8w0QbWmAJgsJuygOwlFlbMITgzuw9g.6jbnscTd5kSK6
3. $2y$12$ivsAFLaGM52oCZnFe/QKBuoJy0osV8UsbJODPBUxeY3XSBhr739Yi
Cost

Cost represents the work factor, which is proportional to the amount of time it takes to calculate a
hash, and thus how secure the hash is. Increasing the cost by one approximately doubles the time
required to calculate the hash. Cost 10-13 should be adequate for most servers. The range of allowed
values for the cost is 4-31.

Example

Code:
#include <a_samp>
#include <bcrypt>

#define BCRYPT_COST 12

forward OnPasswordHashed(playerid);
forward OnPasswordChecked(playerid);

public OnDialogResponse(playerid, dialogid, response, listitem, inputtext[])
{
    switch(dialogid)
    {
        case DIALOG_REGISTRATION:
        {
            bcrypt_hash(inputtext, BCRYPT_COST, "OnPasswordHashed", "d", playerid);
        }

        case DIALOG_LOGIN:
        {
            // Variable hash is expected to contain the hash loaded from the database
            bcrypt_check(inputtext, hash, "OnPasswordChecked", "d", playerid);
        }
    }

    return 1;
}

public OnPasswordHashed(playerid)
{
    new hash[BCRYPT_HASH_LENGTH];
    bcrypt_get_hash(hash);

    printf("Password hashed for player %d: %s", playerid, hash);
    return 1;
}

public OnPasswordChecked(playerid)
{
    new bool:match = bcrypt_is_equal();

    printf("Password checked for %d: %s", playerid, (match) ? ("Match") : ("No match"));
    return 1;
}

Trouble shooting

Problem:
The program canít start because MSVCR120.dll is missing from your computer.

Solution:
Please download and install the 32-bit version of Visual C++ Redistributable Packages for Visual Studio 2013 (vcredist_x86.exe).

Credits
  • Johnson_boy
  • maddinat0r (offering valuable advice)

Last edited by Johnson_boy; 02/12/2014 at 01:48 AM.
Johnson_boy is offline   Reply With Quote
Old 25/07/2013, 01:02 PM   #2
Poket-Jony
Little Clucker
 
Poket-Jony's Avatar
 
Join Date: Mar 2012
Location: Localhost
Posts: 16
Reputation: 0
Default AW: Bcrypt

Nice, i test it
Poket-Jony is offline   Reply With Quote
Old 25/07/2013, 01:17 PM   #3
Djole1337
Gangsta
 
Join Date: Apr 2012
Posts: 904
Reputation: 303
Default Re: Bcrypt

Finally someone made it.
Good job.
Djole1337 is offline   Reply With Quote
Old 25/07/2013, 01:52 PM   #4
roschti
Little Clucker
 
Join Date: Oct 2007
Posts: 24
Reputation: 0
Default Re: Bcrypt

I looked @ your source and as far as I can say, this could crash your server!
Your call to the callbacks are done in a seperated thread and this can corrupt the amx-stack!

Look @ http://forum.sa-mp.com/showpost.php?...4&postcount=12
roschti is offline   Reply With Quote
Old 25/07/2013, 02:24 PM   #5
BigETI
High-roller
 
BigETI's Avatar
 
Join Date: Mar 2010
Location: Germany
Posts: 1,000
Reputation: 322
Default AW: Bcrypt

If you want to use multiple threads, please make it atleast thread safe. As above roschti posted it can corrupt your AMX stack.

Also I don't think it's healthy to create always a new thread, once the native function has been called.
BigETI is offline   Reply With Quote
Old 25/07/2013, 02:25 PM   #6
Y_Less
Beta Tester
 
Y_Less's Avatar
 
Join Date: Jun 2008
Location: 629 - git.io/Y
Posts: 14,984
Reputation: 3150
Default Re: Bcrypt

I concur with roschti. You need to pass the data back to the main thread and call the callbacks from there. Have a look at how the SQL plugins do this, generally using ProcessTick to poll a queue of data coming from other threads.

Other than that, I'm very happy to see this finally in a plugin!
Y_Less is offline   Reply With Quote
Old 25/07/2013, 02:30 PM   #7
Johnson_boy
Huge Clucker
 
Join Date: Mar 2011
Location: Finland
Posts: 220
Reputation: 78
Default Re: Bcrypt

Thanks for the feedback guys. I've put a warning of this issue to the main post while the issue still persists.

I'll have a look at the mysql plugins and attempt to fix it.
Johnson_boy is offline   Reply With Quote
Old 25/07/2013, 04:33 PM   #8
Johnson_boy
Huge Clucker
 
Join Date: Mar 2011
Location: Finland
Posts: 220
Reputation: 78
Default Re: Bcrypt

I think I got it working. Could you check processtick branch (https://github.com/LassiR/bcrypt-samp/tree/processtick) and see if it looks alright? If it does, I'll merge it to master.
Johnson_boy is offline   Reply With Quote
Old 25/07/2013, 05:54 PM   #9
Edvin
Gangsta
 
Edvin's Avatar
 
Join Date: Dec 2010
Posts: 868
Reputation: 71
Default Re: Bcrypt

Great! Now we aren't obligated to improvise salt for whirlpool hashed passwords!. Excellent work!
Edvin is offline   Reply With Quote
Old 25/07/2013, 07:30 PM   #10
Maxips2
Huge Clucker
 
Join Date: Oct 2008
Posts: 411
Reputation: 20
Default Re: Bcrypt

Nice release, might consider switching to this over whirlpool hash.
Maxips2 is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT. The time now is 06:11 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.