SA-MP Forums

SA-MP Forums (https://forum.sa-mp.com/index.php)
-   Plugin Development (https://forum.sa-mp.com/forumdisplay.php?f=18)
-   -   [Plugin] Bcrypt (https://forum.sa-mp.com/showthread.php?t=453544)

Johnson_boy 25/07/2013 12:59 PM

Bcrypt (Password hash)
 
Bcrypt for SA-MP

Latest release: v2.2.3 (Jan 31, 2015)


Downloads
Source code
Wiki
Change log

Introduction

Bcrypt is a hash function designed particularly for passwords, which implements an
automatic salt on all passwords, and allows the work factor to be changed as the computers
become more powerful.

Bcrypt is widely recommended, and often considered as the most secure method for hashing passwords. Source

Benefits
  • All passwords are automatically salted.

  • Bcrypt is slow, which makes offline bruteforce attacks very hard (depends on the work factor).

  • The work factor can be increased as the computers become more powerful.

  • The plugin is multi threaded, so the impact on server performance is negligible.

  • Compatible with PHP's password_verify() and password_hash() functions.

Installation

With sampctl

Code:

sampctl package install lassir/bcrypt-samp:v2.2.3
Alternatively
  • Download the latest version of the plugins here.
  • Copy the plugin file and the include file to their appropriate directories

Usage
  • Include the .inc file in your filterscript or gamemode (#include <bcrypt>)

  • Call function bcrypt_check when you would like to verify whether or not user input matches a given
    hash (e.g. on login). Once the verification is done, the defined callback will be called, and the
    result can be acquired by calling function bcrypt_is_equal() in the callback.

  • If you ever change the cost, you may use bcrypt_needs_rehash function to check if the hash in the
    database should be updated. The function returns true if the hash should be rehashes, and false if the
    hash is up-to-date.

Functions
Hash

Function bcrypt_get_hash returns the result from bcrypt_hash, which is a 61-character-long string
(60 + null terminator), which is also defined as constant BCRYPT_HASH_LENGTH.

Below is the output for hashing "Hello World!" three times. The hash is completely unique every time,
because a random salt is used when calculating the hash every time.
Code:

1. $2y$12$33T1WbJGYD9YVKpBShTDsOOlS3248tApLCndjz28n0cyWZR1HYXy6
2. $2y$12$ExnQyld7o8w0QbWmAJgsJuygOwlFlbMITgzuw9g.6jbnscTd5kSK6
3. $2y$12$ivsAFLaGM52oCZnFe/QKBuoJy0osV8UsbJODPBUxeY3XSBhr739Yi

Cost

Cost represents the work factor, which is proportional to the amount of time it takes to calculate a
hash, and thus how secure the hash is. Increasing the cost by one approximately doubles the time
required to calculate the hash. Cost 10-13 should be adequate for most servers. The range of allowed
values for the cost is 4-31.

Example

pawn Code:
#include <a_samp>
#include <bcrypt>

#define BCRYPT_COST 12

forward OnPasswordHashed(playerid);
forward OnPasswordChecked(playerid);

public OnDialogResponse(playerid, dialogid, response, listitem, inputtext[])
{
    switch(dialogid)
    {
        case DIALOG_REGISTRATION:
        {
            bcrypt_hash(inputtext, BCRYPT_COST, "OnPasswordHashed", "d", playerid);
        }

        case DIALOG_LOGIN:
        {
            // Variable hash is expected to contain the hash loaded from the database
            bcrypt_check(inputtext, hash, "OnPasswordChecked", "d", playerid);
        }
    }

    return 1;
}

public OnPasswordHashed(playerid)
{
    new hash[BCRYPT_HASH_LENGTH];
    bcrypt_get_hash(hash);
    printf("Password hashed for player %d: %s", playerid, hash);
    return 1;
}

public OnPasswordChecked(playerid)
{
    new bool:match = bcrypt_is_equal();
    printf("Password checked for %d: %s", playerid, (match) ? ("Match") : ("No match"));
    return 1;
}

Trouble shooting

Problem:
The program canít start because MSVCR120.dll is missing from your computer.

Solution:
Please download and install the 32-bit version of Visual C++ Redistributable Packages for Visual Studio 2013 (vcredist_x86.exe).

Credits
  • Johnson_boy
  • maddinat0r

Poket-Jony 25/07/2013 01:02 PM

AW: Bcrypt
 
Nice, i test it

Djole1337 25/07/2013 01:17 PM

Re: Bcrypt
 
Finally someone made it.
Good job.

roschti 25/07/2013 01:52 PM

Re: Bcrypt
 
I looked @ your source and as far as I can say, this could crash your server!
Your call to the callbacks are done in a seperated thread and this can corrupt the amx-stack!

Look @ http://forum.sa-mp.com/showpost.php?...4&postcount=12

BigETI 25/07/2013 02:24 PM

AW: Bcrypt
 
If you want to use multiple threads, please make it atleast thread safe. As above roschti posted it can corrupt your AMX stack.

Also I don't think it's healthy to create always a new thread, once the native function has been called.

Johnson_boy 25/07/2013 02:30 PM

Re: Bcrypt
 
Thanks for the feedback guys. I've put a warning of this issue to the main post while the issue still persists.

I'll have a look at the mysql plugins and attempt to fix it.

Johnson_boy 25/07/2013 04:33 PM

Re: Bcrypt
 
I think I got it working. Could you check processtick branch (https://github.com/LassiR/bcrypt-samp/tree/processtick) and see if it looks alright? If it does, I'll merge it to master.

Edvin 25/07/2013 05:54 PM

Re: Bcrypt
 
Great! Now we aren't obligated to improvise salt for whirlpool hashed passwords!. Excellent work!

Maxips2 25/07/2013 07:30 PM

Re: Bcrypt
 
Nice release, might consider switching to this over whirlpool hash.

BigETI 25/07/2013 08:37 PM

AW: Bcrypt
 
Ouch STL containers are not really thread safe. I've experimented with threads (from WINAPI) once, and it just accessed bad memory while the first thread was inserting information and the second one attempted to read it.

Also you are creating threads after the native function gets called. Realize your server attempts to call this native several times, and you are creating too many threads at once (again this can crash your application)


All times are GMT. The time now is 07:06 AM.

Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.