SA-MP Forums

Go Back   SA-MP Forums > SA-MP Scripting and Plugins > Plugin Development

Reply
 
Thread Tools Display Modes
Old 25/07/2013, 12:59 PM   #1
Johnson_boy
Huge Clucker
 
Join Date: Mar 2011
Location: Finland
Posts: 215
Reputation: 80
Default Bcrypt (Password hash)

Bcrypt for SA-MP

Latest release: v2.2.3 (Jan 31, 2015)


Downloads
Source code
Wiki
Change log

Introduction

Bcrypt is a hash function designed particularly for passwords, which implements an
automatic salt on all passwords, and allows the work factor to be changed as the computers
become more powerful.

Bcrypt is widely recommended, and often considered as the most secure method for hashing passwords. Source

Benefits
  • All passwords are automatically salted.

  • Bcrypt is slow, which makes offline bruteforce attacks very hard (depends on the work factor).

  • The work factor can be increased as the computers become more powerful.

  • The plugin is multi threaded, so the impact on server performance is negligible.

  • Compatible with PHP's password_verify() and password_hash() functions.

Installation

With sampctl

Code:
sampctl package install lassir/bcrypt-samp:v2.2.3
Alternatively
  • Download the latest version of the plugins here.
  • Copy the plugin file and the include file to their appropriate directories

Usage
  • Include the .inc file in your filterscript or gamemode (#include <bcrypt>)

  • Call function bcrypt_check when you would like to verify whether or not user input matches a given
    hash (e.g. on login). Once the verification is done, the defined callback will be called, and the
    result can be acquired by calling function bcrypt_is_equal() in the callback.

  • If you ever change the cost, you may use bcrypt_needs_rehash function to check if the hash in the
    database should be updated. The function returns true if the hash should be rehashes, and false if the
    hash is up-to-date.

Functions
Hash

Function bcrypt_get_hash returns the result from bcrypt_hash, which is a 61-character-long string
(60 + null terminator), which is also defined as constant BCRYPT_HASH_LENGTH.

Below is the output for hashing "Hello World!" three times. The hash is completely unique every time,
because a random salt is used when calculating the hash every time.
Code:
1. $2y$12$33T1WbJGYD9YVKpBShTDsOOlS3248tApLCndjz28n0cyWZR1HYXy6
2. $2y$12$ExnQyld7o8w0QbWmAJgsJuygOwlFlbMITgzuw9g.6jbnscTd5kSK6
3. $2y$12$ivsAFLaGM52oCZnFe/QKBuoJy0osV8UsbJODPBUxeY3XSBhr739Yi
Cost

Cost represents the work factor, which is proportional to the amount of time it takes to calculate a
hash, and thus how secure the hash is. Increasing the cost by one approximately doubles the time
required to calculate the hash. Cost 10-13 should be adequate for most servers. The range of allowed
values for the cost is 4-31.

Example

pawn Code:
#include <a_samp>
#include <bcrypt>

#define BCRYPT_COST 12

forward OnPasswordHashed(playerid);
forward OnPasswordChecked(playerid);

public OnDialogResponse(playerid, dialogid, response, listitem, inputtext[])
{
    switch(dialogid)
    {
        case DIALOG_REGISTRATION:
        {
            bcrypt_hash(inputtext, BCRYPT_COST, "OnPasswordHashed", "d", playerid);
        }

        case DIALOG_LOGIN:
        {
            // Variable hash is expected to contain the hash loaded from the database
            bcrypt_check(inputtext, hash, "OnPasswordChecked", "d", playerid);
        }
    }

    return 1;
}

public OnPasswordHashed(playerid)
{
    new hash[BCRYPT_HASH_LENGTH];
    bcrypt_get_hash(hash);
    printf("Password hashed for player %d: %s", playerid, hash);
    return 1;
}

public OnPasswordChecked(playerid)
{
    new bool:match = bcrypt_is_equal();
    printf("Password checked for %d: %s", playerid, (match) ? ("Match") : ("No match"));
    return 1;
}

Trouble shooting

Problem:
The program canít start because MSVCR120.dll is missing from your computer.

Solution:
Please download and install the 32-bit version of Visual C++ Redistributable Packages for Visual Studio 2013 (vcredist_x86.exe).

Credits
  • Johnson_boy
  • maddinat0r

Last edited by Johnson_boy; 01/08/2020 at 03:38 PM.
Johnson_boy is offline   Reply With Quote
Old 25/07/2013, 01:02 PM   #2
Poket-Jony
Little Clucker
 
Poket-Jony's Avatar
 
Join Date: Mar 2012
Location: Localhost
Posts: 1
Reputation: 0
Default AW: Bcrypt

Nice, i test it
Poket-Jony is offline   Reply With Quote
Old 25/07/2013, 01:17 PM   #3
Djole1337
Gangsta
 
Join Date: Apr 2012
Posts: 873
Reputation: 303
Default Re: Bcrypt

Finally someone made it.
Good job.
Djole1337 is offline   Reply With Quote
Old 25/07/2013, 01:52 PM   #4
roschti
Little Clucker
 
Join Date: Oct 2007
Posts: 15
Reputation: 0
Default Re: Bcrypt

I looked @ your source and as far as I can say, this could crash your server!
Your call to the callbacks are done in a seperated thread and this can corrupt the amx-stack!

Look @ http://forum.sa-mp.com/showpost.php?...4&postcount=12
roschti is offline   Reply With Quote
Old 25/07/2013, 02:24 PM   #5
BigETI
Banned
 
Join Date: Mar 2010
Location: Germany
Posts: 1,046
Reputation: 359
Default AW: Bcrypt

If you want to use multiple threads, please make it atleast thread safe. As above roschti posted it can corrupt your AMX stack.

Also I don't think it's healthy to create always a new thread, once the native function has been called.
BigETI is offline   Reply With Quote
Old 25/07/2013, 02:30 PM   #6
Johnson_boy
Huge Clucker
 
Join Date: Mar 2011
Location: Finland
Posts: 215
Reputation: 80
Default Re: Bcrypt

Thanks for the feedback guys. I've put a warning of this issue to the main post while the issue still persists.

I'll have a look at the mysql plugins and attempt to fix it.
Johnson_boy is offline   Reply With Quote
Old 25/07/2013, 04:33 PM   #7
Johnson_boy
Huge Clucker
 
Join Date: Mar 2011
Location: Finland
Posts: 215
Reputation: 80
Default Re: Bcrypt

I think I got it working. Could you check processtick branch (https://github.com/LassiR/bcrypt-samp/tree/processtick) and see if it looks alright? If it does, I'll merge it to master.
Johnson_boy is offline   Reply With Quote
Old 25/07/2013, 05:54 PM   #8
Edvin
Gangsta
 
Edvin's Avatar
 
Join Date: Dec 2010
Posts: 856
Reputation: 71
Default Re: Bcrypt

Great! Now we aren't obligated to improvise salt for whirlpool hashed passwords!. Excellent work!
Edvin is offline   Reply With Quote
Old 25/07/2013, 07:30 PM   #9
Maxips2
Huge Clucker
 
Join Date: Oct 2008
Posts: 410
Reputation: 20
Default Re: Bcrypt

Nice release, might consider switching to this over whirlpool hash.
Maxips2 is offline   Reply With Quote
Old 01/12/2014, 11:51 PM   #10
ProKillerpa
High-roller
 
ProKillerpa's Avatar
 
Join Date: May 2013
Location: Rio Grande do Sul
Posts: 1,200
Reputation: 142
Default Re: Bcrypt

Nice
__________________
Nostalgia ť oque nos resta...
ProKillerpa is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT. The time now is 12:05 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.