Bcrypt.pas

unit Bcrypt;

{
	Bcrypt is an algorithm designed for hashing passwords, and only passwords.
		i.e. It's not a generic, high-speed, generic hashing algorithm.
			  It's computationally and memory expensive
			  It's limited to passwords of 55 bytes.

	http://static.usenix.org/events/usenix99/provos/provos.pdf

	It uses the Blowfish encryption algorithm, but with an "expensive key setup"
	modification, contained in the function EksBlowfishSetup.

	Ian Boyd  5/3/2012
	Public Domain

	v1.0 - Initial release
}

interface

uses
	Blowfish, Types, Math, ComObj;

type
	UnicodeString = WideString;

	TBCrypt = class(TObject)
	private
		class function TryParseHashString(const hashString: AnsiString;
				out version: string; out Cost: Integer; out Salt{, Hash}: TByteDynArray): Boolean;
	protected
		class function EksBlowfishSetup(const Cost: Integer; salt, key: array of Byte): TBlowfishData;
		class procedure ExpandKey(var state: TBlowfishData; salt, key: array of Byte);
		class function CryptCore(const Cost: Integer; Key: array of Byte; salt: array of Byte): TByteDynArray;

		class function FormatPasswordHashForBsd(const cost: Integer; const salt: array of Byte; const hash: array of Byte): AnsiString;

		class function BsdBase64Encode(const data: array of Byte; BytesToEncode: Integer): AnsiString;
		class function BsdBase64Decode(const s: AnsiString): TByteDynArray;

		class function WideStringToUtf8(const Source: UnicodeString): AnsiString;

		class function SelfTestA: Boolean; //known test vectors
		class function SelfTestB: Boolean; //BSD's base64 encoder/decoder
		class function SelfTestC: Boolean; //unicode strings in UTF8
		class function SelfTestD: Boolean; //different length passwords
		class function SelfTestE: Boolean; //salt rng

		class function GenRandomBytes(len: Integer; const data: Pointer): HRESULT;
	public
		//Hashes a password into the OpenBSD password-file format (non-standard base-64 encoding). Also validate that BSD style string
		class function HashPassword(const password: UnicodeString): AnsiString; overload;
		class function CheckPassword(const password: UnicodeString; const expectedHashString: AnsiString): Boolean; overload;

		//If you want to handle the cost, salt, and encoding yourself, you can do that.
		class function HashPassword(const password: UnicodeString; const salt: array of Byte; const cost: Integer): TByteDynArray; overload;
		class function CheckPassword(const password: UnicodeString; const salt, hash: array of Byte; const Cost: Integer): Boolean; overload;
		class function GenerateSalt: TByteDynArray;

		class function SelfTest: Boolean;
	end;

implementation

uses
	Windows, SysUtils,
{$IFDEF UnitTests}TestFramework, {$ENDIF}
	ActiveX;

const
	BCRYPT_COST = 10; //cost determintes the number of rounds. 10 = 2^10 rounds (1024)
	BCRYPT_SALT_LEN = 16; //bcrypt uses 128-bit (16-byte) salt (This isn't an adjustable parameter, just a name for a constant)

	BsdBase64EncodeTable: array[0..63] of Char =
			{ 0:} './'+
			{ 2:} 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'+
			{28:} 'abcdefghijklmnopqrstuvwxyz'+
			{54:} '0123456789';

			//the traditional base64 encode table:
			//'ABCDEFGHIJKLMNOPQRSTUVWXYZ' +
			//'abcdefghijklmnopqrstuvwxyz' +
			//'0123456789+/';

	BsdBase64DecodeTable: array[#0..#127] of Integer = (
			{  0:} -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,  // ________________
			{ 16:} -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,  // ________________
			{ 32:} -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,  0,  1,  // ______________./
			{ 48:} 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, -1, -1, -1, -1, -1, -1,  // 0123456789______
			{ 64:} -1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15, 16,  // _ABCDEFGHIJKLMNO
			{ 80:} 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, -1, -1, -1, -1, -1,  // PQRSTUVWXYZ_____
			{ 96:} -1, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,  // _abcdefghijklmno
			{113:} 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, -1, -1, -1, -1, -1); // pqrstuvwxyz_____

	TestVectors: array[1..20, 1..3] of string = (
			('',                                   '$2a$06$DCq7YPn5Rq63x1Lad4cll.',    '$2a$06$DCq7YPn5Rq63x1Lad4cll.TV4S6ytwfsfvkgY8jIucDrjc8deX1s.'),
			('',                                   '$2a$08$HqWuK6/Ng6sg9gQzbLrgb.',    '$2a$08$HqWuK6/Ng6sg9gQzbLrgb.Tl.ZHfXLhvt/SgVyWhQqgqcZ7ZuUtye'),
			('',                                   '$2a$10$k1wbIrmNyFAPwPVPSVa/ze',    '$2a$10$k1wbIrmNyFAPwPVPSVa/zecw2BCEnBwVS2GbrmgzxFUOqW9dk4TCW'),
			('',                                   '$2a$12$k42ZFHFWqBp3vWli.nIn8u',    '$2a$12$k42ZFHFWqBp3vWli.nIn8uYyIkbvYRvodzbfbK18SSsY.CsIQPlxO'),
			('a',                                  '$2a$06$m0CrhHm10qJ3lXRY.5zDGO',    '$2a$06$m0CrhHm10qJ3lXRY.5zDGO3rS2KdeeWLuGmsfGlMfOxih58VYVfxe'),
			('a',                                  '$2a$08$cfcvVd2aQ8CMvoMpP2EBfe',    '$2a$08$cfcvVd2aQ8CMvoMpP2EBfeodLEkkFJ9umNEfPD18.hUF62qqlC/V.'),
			('a',                                  '$2a$10$k87L/MF28Q673VKh8/cPi.',    '$2a$10$k87L/MF28Q673VKh8/cPi.SUl7MU/rWuSiIDDFayrKk/1tBsSQu4u'),
			('a',                                  '$2a$12$8NJH3LsPrANStV6XtBakCe',    '$2a$12$8NJH3LsPrANStV6XtBakCez0cKHXVxmvxIlcz785vxAIZrihHZpeS'),
			('abc',                                '$2a$06$If6bvum7DFjUnE9p2uDeDu',    '$2a$06$If6bvum7DFjUnE9p2uDeDu0YHzrHM6tf.iqN8.yx.jNN1ILEf7h0i'),
			('abc',                                '$2a$08$Ro0CUfOqk6cXEKf3dyaM7O',    '$2a$08$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm'),
			('abc',                                '$2a$10$WvvTPHKwdBJ3uk0Z37EMR.',    '$2a$10$WvvTPHKwdBJ3uk0Z37EMR.hLA2W6N9AEBhEgrAOljy2Ae5MtaSIUi'),
			('abc',                                '$2a$12$EXRkfkdmXn2gzds2SSitu.',    '$2a$12$EXRkfkdmXn2gzds2SSitu.MW9.gAVqa9eLS1//RYtYCmB1eLHg.9q'),
			('abcdefghijklmnopqrstuvwxyz',         '$2a$06$.rCVZVOThsIa97pEDOxvGu',    '$2a$06$.rCVZVOThsIa97pEDOxvGuRRgzG64bvtJ0938xuqzv18d3ZpQhstC'),
			('abcdefghijklmnopqrstuvwxyz',         '$2a$08$aTsUwsyowQuzRrDqFflhge',    '$2a$08$aTsUwsyowQuzRrDqFflhgekJ8d9/7Z3GV3UcgvzQW3J5zMyrTvlz.'),
			('abcdefghijklmnopqrstuvwxyz',         '$2a$10$fVH8e28OQRj9tqiDXs1e1u',    '$2a$10$fVH8e28OQRj9tqiDXs1e1uxpsjN0c7II7YPKXua2NAKYvM6iQk7dq'),
			('abcdefghijklmnopqrstuvwxyz',         '$2a$12$D4G5f18o7aMMfwasBL7Gpu',    '$2a$12$D4G5f18o7aMMfwasBL7GpuQWuP3pkrZrOAnqP.bmezbMng.QwJ/pG'),
			('~!@#$%^&*()      ~!@#$%^&*()PNBFRD', '$2a$06$fPIsBO8qRqkjj273rfaOI.',    '$2a$06$fPIsBO8qRqkjj273rfaOI.HtSV9jLDpTbZn782DC6/t7qT67P6FfO'),
			('~!@#$%^&*()      ~!@#$%^&*()PNBFRD', '$2a$08$Eq2r4G/76Wv39MzSX262hu',    '$2a$08$Eq2r4G/76Wv39MzSX262huzPz612MZiYHVUJe/OcOql2jo4.9UxTW'),
			('~!@#$%^&*()      ~!@#$%^&*()PNBFRD', '$2a$10$LgfYWkbzEvQ4JakH7rOvHe',    '$2a$10$LgfYWkbzEvQ4JakH7rOvHe0y8pHKF9OaFgwUZ2q7W2FFZmZzJYlfS'),
			('~!@#$%^&*()      ~!@#$%^&*()PNBFRD', '$2a$12$WApznUOJfkEGSmYRfnkrPO',    '$2a$12$WApznUOJfkEGSmYRfnkrPOr466oFDCaj4b6HY3EXGvfxm43seyhgC')
	);


{$IFDEF UnitTests}
type
	TBCryptTests = class(TTestCase)
	public
		procedure SelfTest;

		//These are just too darn slow (as they should be) for continuous testing
		procedure SelfTestA_KnownTestVectors;
		procedure SelfTestC_UnicodeStrings;
		procedure SelfTestD_VariableLengthPasswords;
	published
		procedure SelfTestB_Base64EncoderDecoder;
	end;
{$ENDIF}

const
	advapi32 = 'advapi32.dll';

function CryptAcquireContextW(out phProv: THandle; pszContainer: PWideChar; pszProvider: PWideChar; dwProvType: DWORD; dwFlags: DWORD): BOOL; stdcall; external advapi32;
function CryptReleaseContext(hProv: THandle; dwFlags: DWORD): BOOL; stdcall; external advapi32;
function CryptGenRandom(hProv: THandle; dwLen: DWORD; pbBuffer: Pointer): BOOL; stdcall; external advapi32;

{ TBCrypt }

class function TBCrypt.HashPassword(const password: UnicodeString): AnsiString;
var
	cost: Integer;
	salt: TByteDynArray;
	hash: TByteDynArray;
begin
{	bcrypt was designed for OpenBSD, where hashes in the password file have a
	certain format.

	The convention used in BSD when generating password hash strings is to format it as:
			$version$salt$hash

	MD5 hash uses version "1":
			"$"+"1"+"$"+salt+hash

	bcrypt uses version "2a", but also encodes the cost

			"$"+"2a"+"$"+rounds+"$"+salt+hash

	e.g.
			$2a$10$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm
			$==$==$======================-------------------------------

	The benfit of this scheme is:
			- the number of rounds
			- the salt used

	This means that stored hashes are backwards and forwards compatible with
	changing the number of rounds
}
	salt := GenerateSalt();
	cost := BCRYPT_COST;

	//utf8 := TBCrypt.WideStringToUtf8(password);
	hash := TBCrypt.HashPassword(password, salt, cost);

	Result := FormatPasswordHashForBsd(cost, salt, hash);
end;

class function TBCrypt.GenerateSalt: TByteDynArray;
var
	type4Uuid: TGUID;
	salt: TByteDynArray;
begin
	//Salt is a 128-bit (16 byte) random value
	SetLength(salt, BCRYPT_SALT_LEN);

	//Type 4 UUID (RFC 4122) is a handy source of (almost) 128-bits of random data (actually 120 bits)
	//But the security doesn't come from the salt being secret, it comes from the salt being different each time
	OleCheck(CoCreateGUID(Type4Uuid));

	Move(type4Uuid.D1, salt[0], BCRYPT_SALT_LEN); //16 bytes

	Result := salt;
end;

class function TBCrypt.HashPassword(const password: UnicodeString; const salt: array of Byte; const cost: Integer): TByteDynArray;
var
	key: TByteDynArray;
	len: Integer;
	utf8Password: AnsiString;
begin
	//pseudo-standard dictates that unicode strings are converted to UTF8 (rather than UTF16, UTF32, UTF16LE, etc)
	utf8Password := TBCrypt.WideStringToUtf8(password);

	//key is 56 bytes.
	//bcrypt version 2a defines that we include the null terminator
	//this leaves us with 55 characters we can include
	len := Length(utf8Password);
	if len > 55 then
		len := 55;

	SetLength(key, len+1); //+1 for the null terminator

	if Length(utf8Password) > 0 then
		Move(utf8Password[1], key[0], len);

	//set the final null terminator
	key[len] := 0;

	Result := TBCrypt.CryptCore(cost, key, salt);
end;

class function TBCrypt.CryptCore(const Cost: Integer; key, salt: array of Byte): TByteDynArray;
var
	state: TBlowfishData;
	i: Integer;
	plainText: array[0..23] of Byte;
	cipherText: array[0..23] of Byte;

const
	magicText: AnsiString = 'OrpheanBeholderScryDoubt'; //the 24-byte data we will be encrypting 64 times
begin
	state := TBCrypt.EksBlowfishSetup(cost, salt, key);

	//Conceptually we are encrypting "OrpheanBeholderScryDoubt" 64 times
	Move(magicText[1], plainText[0], 24);

	for i := 1 to 64 do
	begin
		//The painful thing is that the plaintext is 24 bytes long; this is three 8-byte blocks.
		//Which means we have to do the EBC encryption on 3 separate sections.
		BlowfishEncryptECB(state, Pointer(@plainText[ 0]), Pointer(@cipherText[ 0]));
		BlowfishEncryptECB(state, Pointer(@plainText[ 8]), Pointer(@cipherText[ 8]));
		BlowfishEncryptECB(state, Pointer(@plainText[16]), Pointer(@cipherText[16]));

		Move(cipherText[0], plainText[0], 24);
	end;

	SetLength(Result, 24);
	Move(cipherText[0], Result[0], 24);
end;


class function TBCrypt.EksBlowfishSetup(const Cost: Integer; salt, key: array of Byte): TBlowfishData;
var
	rounds: Cardinal; //rounds = 2^cost
	i: Integer;
	Len: Integer;
const
	zero: array[0..15] of Byte = (0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0);
begin
	//Expensive key setup
	if (cost < 4) or (cost > 31) then
		raise Exception.Create('Blowfish: Cost ('+IntToStr(Cost)+') must be between 4..31');

	Len := Length(key);
	if (Len > 56) then
		raise Exception.Create('Blowfish: Key must be between 1 and 56 bytes long');

	if Length(salt) <> BCRYPT_SALT_LEN then
		raise Exception.Create('Blowfish: salt must be 16 bytes');

	//Copy S and P boxes into local state
	BlowfishInitState(Result);

	Self.ExpandKey(Result, salt, key);

	//rounds = 2^cost
	rounds := 1 shl cost;

	for i := 1 to rounds do
	begin
		Self.ExpandKey(Result, zero, key);
		Self.ExpandKey(Result, zero, salt);
	end;

	//Result := what it is
end;

class procedure TBCrypt.ExpandKey(var State: TBlowfishData; salt, key: array of Byte);
var
	i, j, k: Integer;
	A: DWord;
	KeyB: PByteArray;
	Block: array[0..7] of Byte;
	Len: Integer;
	saltHalf: Integer;
begin
	//ExpandKey phase of the Expensive key setup
	Len := Length(key);
	if (Len > 56) then
		raise Exception.Create('Blowfish: Key must be between 1 and 56 bytes long');

	{
		XOR all the subkeys in the P-array with the encryption key
		The first 32 bits of the key are XORed with P1, the next 32 bits with P2, and so on.
		The key is viewed as being cyclic; when the process reaches the end of the key,
		it starts reusing bits from the beginning to XOR with subkeys.
	}
	if len > 0 then
	begin
		KeyB := PByteArray(@key[0]);
		k := 0;
		for i := 0 to 17 do
		begin
			A :=      KeyB[(k+3) mod Len];
			A := A + (KeyB[(k+2) mod Len] shl 8);
			A := A + (KeyB[(k+1) mod Len] shl 16);
			A := A + (KeyB[k]             shl 24);
			State.PBoxM[i] := State.PBoxM[i] xor A;
			k := (k+4) mod Len;
		end;
	end;

	//Blowfsh-encrypt the first 64 bits of its salt argument using the current state of the key schedule.
	BlowfishEncryptECB(State, @salt[0], @Block);

	//The resulting ciphertext replaces subkeys P1 and P2.
	State.PBoxM[0] := Block[3] + (Block[2] shl 8) + (Block[1] shl 16) + (Block[0] shl 24);
	State.PBoxM[1] := Block[7] + (Block[6] shl 8) + (Block[5] shl 16) + (Block[4] shl 24);

	saltHalf := 1;
	for i := 1 to 8 do
	begin
		//That same ciphertext is also XORed with the second 64-bits of salt
		for k := 0 to 7 do
			block[k] := block[k] xor salt[(saltHalf*8)+k]; //Salt is 0..15 (0..7 is first block, 8..15 is second block)
		saltHalf := saltHalf xor 1;

		//and the result encrypted with the new state of the key schedule
		BlowfishEncryptECB(State, @Block, @Block);

		// The output of the second encryption replaces subkeys P3 and P4. (P[2] and P[3])
		State.PBoxM[i*2] :=   Block[3] + (Block[2] shl 8) + (Block[1] shl 16) + (Block[0] shl 24);
		State.PBoxM[i*2+1] := Block[7] + (Block[6] shl 8) + (Block[5] shl 16) + (Block[4] shl 24);
	end;

	//When ExpandKey finishes replacing entries in the P-Array, it continues on replacing S-box entries two at a time.
	for j := 0 to 3 do
	begin
		for i := 0 to 127 do
		begin
			//That same ciphertext is also XORed with the second 64-bits of salt
			for k := 0 to 7 do
				block[k] := block[k] xor salt[(saltHalf*8 mod 16)+k]; //Salt is 0..15 (0..7 is first block, 8..15 is second block)
			saltHalf := saltHalf xor 1;

			//and the result encrypted with the new state of the key schedule
			BlowfishEncryptECB(State, @Block, @Block);

			// The output of the second encryption replaces subkeys S1 and P2. (S[0] and S[1])
			State.SBoxM[j, i*2] :=   Block[3] + (Block[2] shl 8) + (Block[1] shl 16) + (Block[0] shl 24);
			State.SBoxM[j, i*2+1] := Block[7] + (Block[6] shl 8) + (Block[5] shl 16) + (Block[4] shl 24);
		end;
	end;
end;

class function TBCrypt.CheckPassword(const password: UnicodeString; const salt, hash: array of Byte; const Cost: Integer): Boolean;
var
	candidateHash: TByteDynArray;
	len: Integer;
begin
	Result := False;

	candidateHash := TBCrypt.HashPassword(password, salt, cost);

	len := Length(hash);
	if Length(candidateHash) <> len then
		Exit;

	Result := CompareMem(@candidateHash[0], @hash[0], len);
end;

class function TBCrypt.TryParseHashString(const hashString: AnsiString;
		out version: string; out Cost: Integer; out Salt: TByteDynArray{; out Hash: TByteDynArray}): Boolean;
var
	work: AnsiString;
	s: AnsiString;
begin
	Result := False;

	{
		Pick apart our specially formatted hash string

		$2a$nn$(22 character salt, b64 encoded)(32 character hash, b64 encoded)

		We also need to accept version 2, the original version
	}
	if Length(hashString) < 28 then
		Exit;

	//get the version prefix (we support "2a" and the older "2", since they are the same thing)
	if AnsiSameText(Copy(hashString, 1, 4), '$2a$') then
	begin
		version := Copy(hashString, 2, 2);
		work := Copy(hashString, 5, 25);
	end
	else if AnsiSameText(Copy(hashString, 1, 3), '$2$') then
	begin
		version := Copy(hashString, 2, 1);
		work := Copy(hashString, 4, 25);
	end
	else
		Exit;

	//Next two characters must be a length
	s := Copy(work, 1, 2);
	cost := StrToIntDef(s, -1);
	if cost < 0 then
		Exit;

	//Next is a separator
	if work[3] <> '$' then
		Exit;

	//Next 22 are the salt
	s := Copy(work, 4, 22);
	Salt := BsdBase64Decode(s); //salt is always 16 bytes

{	//next 32 is hash
	s := Copy(work, 26, 32);
	SetLength(Hash, 24); //hash is always 24 bytes}

	Result := True;
end;

class function TBCrypt.CheckPassword(const password: UnicodeString; const expectedHashString: AnsiString): Boolean;
var
	version: string;
	cost: Integer;
	salt: TByteDynArray;
	hash: TByteDynArray;
	actualHashString: string;
begin
	if not TryParseHashString(expectedHashString,
			{out}version, {out}cost, {out}salt) then
		raise Exception.Create('Invalid hash string');

	hash := TBCrypt.HashPassword(password, salt, cost);

	actualHashString := FormatPasswordHashForBsd(cost, salt, hash);

	Result := (actualHashString = expectedHashString);
end;

class function TBCrypt.BsdBase64Encode(const data: array of Byte; BytesToEncode: Integer): AnsiString;

	function EncodePacket(b1, b2, b3: Byte; Len: Integer): AnsiString;
	begin
		Result := '';

		Result := Result + BsdBase64EncodeTable[b1 shr 2];
		Result := Result + BsdBase64EncodeTable[((b1 and $03) shl 4) or (b2 shr 4)];
		if Len < 2 then Exit;

		Result := Result + BsdBase64EncodeTable[((b2 and $0f) shl 2) or (b3 shr 6)];
		if Len < 3 then Exit;

		Result := Result + BsdBase64EncodeTable[b3 and $3f];
	end;

var
	i: Integer;
	len: Integer;
	b1, b2: Integer;
begin
	Result := '';

	len := BytesToEncode;
	if len = 0 then
		Exit;

	if len > Length(data) then
		raise Exception.Create('Invalid length');

	//encode whole 3-byte chunks  TV4S 6ytw fsfv kgY8 jIuc Drjc 8deX 1s.
	i := Low(data);
	while len >= 3 do
	begin
		Result := Result+EncodePacket(data[i], data[i+1], data[i+2], 3);
		Inc(i, 3);
		Dec(len, 3);
	end;

	if len = 0 then
		Exit;

	//encode partial final chunk
	Assert(len < 3);
	if len >= 1 then
		b1 := data[i]
	else
		b1 := 0;
	if len >= 2 then
		b2 := data[i+1]
	else
		b2 := 0;
	Result := Result+EncodePacket(b1, b2, 0, len);
end;

class function TBCrypt.SelfTest: Boolean;
begin
	Result :=
			SelfTestA and  //known test vectors
			SelfTestB and  //the base64 encoder/decoder
			SelfTestC and  //unicode strings
			SelfTestD;     //different length passwords
end;

class function TBCrypt.FormatPasswordHashForBsd(const cost: Integer; const salt, hash: array of Byte): AnsiString;
var
	saltString: AnsiString;
	hashString: AnsiString;
begin
	saltString := BsdBase64Encode(salt, Length(salt));
	hashString := BsdBase64Encode(hash, Length(hash)-1); //Yes, everything except the last byte
		//OpenBSD, in the pseudo-base64 implementation, doesn't include the last byte of the hash
		//Nobody knows why, but that's what all exists tests do - so it's what i do

	Result := Format('$2a$%.2d$%s%s', [cost, saltString, hashString]);
end;

class function TBCrypt.BsdBase64Decode(const s: AnsiString): TByteDynArray;

	function Char64(character: AnsiChar): Integer;
	begin
		if (Ord(character) > Length(BsdBase64DecodeTable)) then
		begin
			Result := -1;
			Exit;
		end;

		Result := BsdBase64DecodeTable[character];
	end;

	procedure Append(value: Byte);
	var
		i: Integer;
	begin
		i := Length(Result);
		SetLength(Result, i+1);
		Result[i] := value;
	end;

var
	i: Integer;
	len: Integer;
	c1, c2, c3, c4: Integer;
begin
	SetLength(Result, 0);

	len := Length(s);
	i := 1;
	while i <= len do
	begin
		// We'll need to have at least 2 character to form one byte.
		// Anything less is invalid
		if (i+1) > len then
		begin
			raise Exception.Create('Invalid base64 hash string');
//			Break;
		end;

		c1 := Char64(s[i]);
		Inc(i);
		c2 := Char64(s[i]);
		Inc(i);

		if (c1 = -1) or (c2 = -1) then
		begin
			raise Exception.Create('Invalid base64 hash string');
//			Break;
		end;

		//Now we have at least one byte in c1|c2
		// c1 = ..111111
		// c2 = ..112222
		Append( ((c1 and $3f) shl 2) or (c2 shr 4) );

		//If there's a 3rd character, then we can use c2|c3 to form the second byte
		if (i > len) then
			Break;
		c3 := Char64(s[i]);
		Inc(i);

		if (c3 = -1) then
		begin
			raise Exception.Create('Invalid base64 hash string');
//			Break;
		end;

		//Now we have the next byte in c2|c3
		// c2 = ..112222
		// c3 = ..222233
		Append( ((c2 and $0f) shl 4) or (c3 shr 2) );

		//If there's a 4th caracter, then we can use c3|c4 to form the third byte
		if i > len then
			Break;
		c4 := Char64(s[i]);
		Inc(i);

		if (c4 = -1) then
		begin
			raise Exception.Create('Invalid base64 hash string');
//			Break;
		end;

		//Now we have the next byte in c3|c4
		// c3 = ..222233
		// c4 = ..333333
		Append( ((c3 and $03) shl 6) or c4 );
	end;
end;

class function TBCrypt.WideStringToUtf8(const Source: UnicodeString): AnsiString;
var
	cpStr: AnsiString;
	strLen: Integer;
	dw: DWORD;
const
	CodePage = CP_UTF8;
begin
	if Length(Source) = 0 then
	begin
		Result := '';
		Exit;
	end;

	// Determine real size of destination string, in bytes
	strLen := WideCharToMultiByte(CodePage, 0,
			PWideChar(Source), Length(Source), //Source
			nil, 0, //Destination
			nil, nil);
	if strLen = 0 then
	begin
		dw := GetLastError;
		raise EConvertError.Create('[WideStringToUtf8] Could not get length of destination string. Error '+IntToStr(dw)+' ('+SysErrorMessage(dw)+')');
	end;

	// Allocate memory for destination string
	SetLength(cpStr, strLen);

	// Convert source UTF-16 string (WideString) to the destination using the code-page
	strLen := WideCharToMultiByte(CodePage, 0,
			PWideChar(Source), Length(Source), //Source
			PChar(cpStr), strLen, //Destination
			nil, nil);
	if strLen = 0 then
	begin
		dw := GetLastError;
		raise EConvertError.Create('[WideStringToUtf8] Could not convert utf16 to utf8 string. Error '+IntToStr(dw)+' ('+SysErrorMessage(dw)+')');
	end;

	Result := cpStr
end;


class function TBCrypt.SelfTestB: Boolean;
var
	i: Integer;
	salt: AnsiString;
	encoded: AnsiString;
	data: TByteDynArray;
	recoded: AnsiString;
begin
	for i := Low(TestVectors) to High(TestVectors) do
	begin
		salt := TestVectors[i,2];

		encoded := Copy(salt, 8, 22); //salt is always 22 characters

		data := TBCrypt.BsdBase64Decode(encoded);

		recoded := TBCrypt.BsdBase64Encode(data, Length(data));
		if (recoded <> encoded) then
			raise Exception.Create('BSDBase64 encoder self-test failed');
	end;

	Result := True;
end;

class function TBCrypt.SelfTestA: Boolean;
var
	i: Integer;

	procedure t(const password: AnsiString; const HashSalt: AnsiString; const ExpectedHashString: AnsiString);
	var
		version: string;
		cost: Integer;
		salt: TByteDynArray;
		hash: TByteDynArray;
		actualHashString: AnsiString;
	begin
		//Extract "$2a$06$If6bvum7DFjUnE9p2uDeDu" rounds and base64 salt from the HashSalt
		if not TBCrypt.TryParseHashString(HashSalt, {out}version, {out}cost, {out}salt) then
			raise Exception.Create('bcrypt self-test failed: invalid versionsalt "'+HashSalt+'"');

		hash := TBCrypt.HashPassword(password, salt, cost);
		actualHashString := TBCrypt.FormatPasswordHashForBsd(cost, salt, hash);

		if actualHashString <> ExpectedHashString then
			raise Exception.CreateFmt('bcrypt self-test failed. actual hash "%s" did not match expected hash "%s"', [actualHashString, ExpectedHashString]);
	end;

begin
	for i := Low(TestVectors) to High(TestVectors) do
	begin
		t(TestVectors[i,1], TestVectors[i,2], TestVectors[i,3] );
	end;

	Result := True;
end;

class function TBCrypt.SelfTestC: Boolean;
var
	s: UnicodeString;
	hash: AnsiString;
const
	n: UnicodeString=''; //n=nothing.
			//Work around bug in Delphi compiler when building widestrings
			//http://stackoverflow.com/a/7031942/12597
begin
	{
		We test that the it doesn't choke on international characters
		This was a bug in a version of bcrypt somewhere, that we do not intend to duplicate
	}
	s := n+#$03C0+#$03C0+#$03C0+#$03C0+#$03C0+#$03C0+#$03C0+#$03C0; //U+03C0: Greek Small Letter Pi
	hash := TBCrypt.HashPassword(s);
	if not TBCrypt.CheckPassword(s, hash) then
		raise Exception.Create('Failed to validate unicode string "'+s+'"');


	s := n+#$03C0+#$03C0+#$03C0+#$03C0+#$03C0+#$03C0+#$03C0+#$03C0; //U+03C0: Greek Small Letter Pi
	hash := TBCrypt.HashPassword(s);
	if not TBCrypt.CheckPassword(s, hash) then
		raise Exception.Create('Failed to validate unicode string "'+s+'"');

	Result := True;
end;

{ TBCryptTests }

{$IFDEF UnitTests}
procedure TBCryptTests.SelfTest;
begin
	CheckTrue(TBCrypt.SelfTest);
end;
{$ENDIF}

class function TBCrypt.SelfTestD: Boolean;
var
	i: Integer;
	password: string;
	hash: string;
begin
	for i := 0 to 56 do
	begin
		password := Copy('The quick brown fox jumped over the lazy dog then sat on a log', 1, i);
		hash := TBCrypt.HashPassword(password);
		if (hash = '') then
			raise Exception.Create('hash creation failed');
	end;

	Result := True;
end;

{$IFDEF UnitTests}
procedure TBCryptTests.SelfTestA_KnownTestVectors;
begin
	CheckTrue(TBCrypt.SelfTestA);
end;

procedure TBCryptTests.SelfTestB_Base64EncoderDecoder;
begin
	CheckTrue(TBCrypt.SelfTestB);
end;

procedure TBCryptTests.SelfTestC_UnicodeStrings;
begin
	CheckTrue(TBCrypt.SelfTestC);
end;

procedure TBCryptTests.SelfTestD_VariableLengthPasswords;
begin
	CheckTrue(TBCrypt.SelfTestD);
end;
{$ENDIF}

class function TBCrypt.GenRandomBytes(len: Integer; const data: Pointer): HRESULT;
var
	hProv: THandle;
const
	PROV_RSA_FULL = 1;
	CRYPT_VERIFYCONTEXT = DWORD($F0000000);
	CRYPT_SILENT         = $00000040;
begin
	if not CryptAcquireContextW(hPRov, nil, nil, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT or CRYPT_SILENT) then
	begin
		Result := HResultFromWin32(GetLastError);
		Exit;
	end;
	try
		if not CryptGenRandom(hProv, len, data) then
		begin
			Result := HResultFromWin32(GetLastError);
			Exit;
		end;
	finally
		CryptReleaseContext(hProv, 0);
	end;

	Result := S_OK;
end;

class function TBCrypt.SelfTestE: Boolean;
var
	salt: TByteDynArray;
begin
	salt := TBCrypt.GenerateSalt;
	if Length(salt) <> BCRYPT_SALT_LEN then
		raise Exception.Create('BCrypt selftest failed; invalid salt length');

	Result := True;
end;

initialization
{$IFDEF UnitTests}
	RegisterTest('Library', TBCryptTests.Suite);
{$ENDIF}

end.