bcrypt 3.1.3-java

data/lib/bcrypt/engine.rb

@@ -0,0 +1,116 @@
+module BCrypt
+  # A Ruby wrapper for the bcrypt() C extension calls and the Java calls.
+  class Engine
+    # The default computational expense parameter.
+    DEFAULT_COST    = 10
+    # The minimum cost supported by the algorithm.
+    MIN_COST        = 4
+    # Maximum possible size of bcrypt() salts.
+    MAX_SALT_LENGTH = 16
+
+    if RUBY_PLATFORM != "java"
+      # C-level routines which, if they don't get the right input, will crash the
+      # hell out of the Ruby process.
+      private_class_method :__bc_salt
+      private_class_method :__bc_crypt
+    end
+
+    @cost = nil
+
+    # Returns the cost factor that will be used if one is not specified when
+    # creating a password hash.  Defaults to DEFAULT_COST if not set.
+    def self.cost
+      @cost || DEFAULT_COST
+    end
+
+    # Set a default cost factor that will be used if one is not specified when
+    # creating a password hash.
+    #
+    # Example:
+    #
+    #   BCrypt::Engine::DEFAULT_COST            #=> 10
+    #   BCrypt::Password.create('secret').cost  #=> 10
+    #
+    #   BCrypt::Engine.cost = 8
+    #   BCrypt::Password.create('secret').cost  #=> 8
+    #
+    #   # cost can still be overridden as needed
+    #   BCrypt::Password.create('secret', :cost => 6).cost  #=> 6
+    def self.cost=(cost)
+      @cost = cost
+    end
+
+    # Given a secret and a valid salt (see BCrypt::Engine.generate_salt) calculates
+    # a bcrypt() password hash.
+    def self.hash_secret(secret, salt, _ = nil)
+      if valid_secret?(secret)
+        if valid_salt?(salt)
+          if RUBY_PLATFORM == "java"
+            Java.bcrypt_jruby.BCrypt.hashpw(secret.to_s, salt.to_s)
+          else
+            __bc_crypt(secret.to_s, salt)
+          end
+        else
+          raise Errors::InvalidSalt.new("invalid salt")
+        end
+      else
+        raise Errors::InvalidSecret.new("invalid secret")
+      end
+    end
+
+    # Generates a random salt with a given computational cost.
+    def self.generate_salt(cost = self.cost)
+      cost = cost.to_i
+      if cost > 0
+        if cost < MIN_COST
+          cost = MIN_COST
+        end
+        if RUBY_PLATFORM == "java"
+          Java.bcrypt_jruby.BCrypt.gensalt(cost)
+        else
+          prefix = "$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW"
+          __bc_salt(prefix, cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
+        end
+      else
+        raise Errors::InvalidCost.new("cost must be numeric and > 0")
+      end
+    end
+
+    # Returns true if +salt+ is a valid bcrypt() salt, false if not.
+    def self.valid_salt?(salt)
+      !!(salt =~ /^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/)
+    end
+
+    # Returns true if +secret+ is a valid bcrypt() secret, false if not.
+    def self.valid_secret?(secret)
+      secret.respond_to?(:to_s)
+    end
+
+    # Returns the cost factor which will result in computation times less than +upper_time_limit_in_ms+.
+    #
+    # Example:
+    #
+    #   BCrypt::Engine.calibrate(200)  #=> 10
+    #   BCrypt::Engine.calibrate(1000) #=> 12
+    #
+    #   # should take less than 200ms
+    #   BCrypt::Password.create("woo", :cost => 10)
+    #
+    #   # should take less than 1000ms
+    #   BCrypt::Password.create("woo", :cost => 12)
+    def self.calibrate(upper_time_limit_in_ms)
+      40.times do |i|
+        start_time = Time.now
+        Password.create("testing testing", :cost => i+1)
+        end_time = Time.now - start_time
+        return i if end_time * 1_000 > upper_time_limit_in_ms
+      end
+    end
+
+    # Autodetects the cost from the salt string.
+    def self.autodetect_cost(salt)
+      salt[4..5].to_i
+    end
+  end
+
+end

data/lib/bcrypt/error.rb

@@ -0,0 +1,22 @@
+module BCrypt
+
+  class Error < StandardError  # :nodoc:
+  end
+
+  module Errors  # :nodoc:
+
+    # The salt parameter provided to bcrypt() is invalid.
+    class InvalidSalt < BCrypt::Error; end
+
+    # The hash parameter provided to bcrypt() is invalid.
+    class InvalidHash < BCrypt::Error; end
+
+    # The cost parameter provided to bcrypt() is invalid.
+    class InvalidCost < BCrypt::Error; end
+
+    # The secret parameter provided to bcrypt() is invalid.
+    class InvalidSecret < BCrypt::Error; end
+
+  end
+
+end

data/lib/bcrypt/password.rb

@@ -0,0 +1,87 @@
+module BCrypt
+  # A password management class which allows you to safely store users' passwords and compare them.
+  #
+  # Example usage:
+  #
+  #   include BCrypt
+  #
+  #   # hash a user's password
+  #   @password = Password.create("my grand secret")
+  #   @password #=> "$2a$10$GtKs1Kbsig8ULHZzO1h2TetZfhO4Fmlxphp8bVKnUlZCBYYClPohG"
+  #
+  #   # store it safely
+  #   @user.update_attribute(:password, @password)
+  #
+  #   # read it back
+  #   @user.reload!
+  #   @db_password = Password.new(@user.password)
+  #
+  #   # compare it after retrieval
+  #   @db_password == "my grand secret" #=> true
+  #   @db_password == "a paltry guess"  #=> false
+  #
+  class Password < String
+    # The hash portion of the stored password hash.
+    attr_reader :checksum
+    # The salt of the store password hash (including version and cost).
+    attr_reader :salt
+    # The version of the bcrypt() algorithm used to create the hash.
+    attr_reader :version
+    # The cost factor used to create the hash.
+    attr_reader :cost
+
+    class << self
+      # Hashes a secret, returning a BCrypt::Password instance. Takes an optional <tt>:cost</tt> option, which is a
+      # logarithmic variable which determines how computational expensive the hash is to calculate (a <tt>:cost</tt> of
+      # 4 is twice as much work as a <tt>:cost</tt> of 3). The higher the <tt>:cost</tt> the harder it becomes for
+      # attackers to try to guess passwords (even if a copy of your database is stolen), but the slower it is to check
+      # users' passwords.
+      #
+      # Example:
+      #
+      #   @password = BCrypt::Password.create("my secret", :cost => 13)
+      def create(secret, options = {})
+        cost = options[:cost] || BCrypt::Engine.cost
+        raise ArgumentError if cost > 31
+        Password.new(BCrypt::Engine.hash_secret(secret, BCrypt::Engine.generate_salt(cost)))
+      end
+
+      def valid_hash?(h)
+        h =~ /^\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}$/
+      end
+    end
+
+    # Initializes a BCrypt::Password instance with the data from a stored hash.
+    def initialize(raw_hash)
+      if valid_hash?(raw_hash)
+        self.replace(raw_hash)
+        @version, @cost, @salt, @checksum = split_hash(self)
+      else
+        raise Errors::InvalidHash.new("invalid hash")
+      end
+    end
+
+    # Compares a potential secret against the hash. Returns true if the secret is the original secret, false otherwise.
+    def ==(secret)
+      super(BCrypt::Engine.hash_secret(secret, @salt))
+    end
+    alias_method :is_password?, :==
+
+  private
+
+    # Returns true if +h+ is a valid hash.
+    def valid_hash?(h)
+      self.class.valid_hash?(h)
+    end
+
+    # call-seq:
+    #   split_hash(raw_hash) -> version, cost, salt, hash
+    #
+    # Splits +h+ into version, cost, salt, and hash and returns them in that order.
+    def split_hash(h)
+      _, v, c, mash = h.split('$')
+      return v, c.to_i, h[0, 29].to_str, mash[-31, 31].to_str
+    end
+  end
+
+end

data/spec/TestBCrypt.java

@@ -0,0 +1,194 @@
+// Copyright (c) 2006 Damien Miller <djm@mindrot.org>
+//
+// Permission to use, copy, modify, and distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+import junit.framework.TestCase;
+
+/**
+ * JUnit unit tests for BCrypt routines
+ * @author Damien Miller
+ * @version 0.2
+ */
+public class TestBCrypt extends TestCase {
+	String test_vectors[][] = {
+			{ "", 
+			"$2a$06$DCq7YPn5Rq63x1Lad4cll.",
+			"$2a$06$DCq7YPn5Rq63x1Lad4cll.TV4S6ytwfsfvkgY8jIucDrjc8deX1s." },
+			{ "",
+			"$2a$08$HqWuK6/Ng6sg9gQzbLrgb.",
+			"$2a$08$HqWuK6/Ng6sg9gQzbLrgb.Tl.ZHfXLhvt/SgVyWhQqgqcZ7ZuUtye" },
+			{ "",
+			"$2a$10$k1wbIrmNyFAPwPVPSVa/ze",
+			"$2a$10$k1wbIrmNyFAPwPVPSVa/zecw2BCEnBwVS2GbrmgzxFUOqW9dk4TCW" },
+			{ "",
+			"$2a$12$k42ZFHFWqBp3vWli.nIn8u",
+			"$2a$12$k42ZFHFWqBp3vWli.nIn8uYyIkbvYRvodzbfbK18SSsY.CsIQPlxO" },
+			{ "a",
+			"$2a$06$m0CrhHm10qJ3lXRY.5zDGO",
+			"$2a$06$m0CrhHm10qJ3lXRY.5zDGO3rS2KdeeWLuGmsfGlMfOxih58VYVfxe" },
+			{ "a", 
+			"$2a$08$cfcvVd2aQ8CMvoMpP2EBfe",
+			"$2a$08$cfcvVd2aQ8CMvoMpP2EBfeodLEkkFJ9umNEfPD18.hUF62qqlC/V." },
+			{ "a",
+			"$2a$10$k87L/MF28Q673VKh8/cPi.",
+			"$2a$10$k87L/MF28Q673VKh8/cPi.SUl7MU/rWuSiIDDFayrKk/1tBsSQu4u" },
+			{ "a",
+			"$2a$12$8NJH3LsPrANStV6XtBakCe",
+			"$2a$12$8NJH3LsPrANStV6XtBakCez0cKHXVxmvxIlcz785vxAIZrihHZpeS" },
+			{ "abc",
+			"$2a$06$If6bvum7DFjUnE9p2uDeDu",
+			"$2a$06$If6bvum7DFjUnE9p2uDeDu0YHzrHM6tf.iqN8.yx.jNN1ILEf7h0i" },
+			{ "abc",
+			"$2a$08$Ro0CUfOqk6cXEKf3dyaM7O",
+			"$2a$08$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm" },
+			{ "abc",
+			"$2a$10$WvvTPHKwdBJ3uk0Z37EMR.",
+			"$2a$10$WvvTPHKwdBJ3uk0Z37EMR.hLA2W6N9AEBhEgrAOljy2Ae5MtaSIUi" },
+			{ "abc",
+			"$2a$12$EXRkfkdmXn2gzds2SSitu.",
+			"$2a$12$EXRkfkdmXn2gzds2SSitu.MW9.gAVqa9eLS1//RYtYCmB1eLHg.9q" },
+			{ "abcdefghijklmnopqrstuvwxyz",
+			"$2a$06$.rCVZVOThsIa97pEDOxvGu",
+			"$2a$06$.rCVZVOThsIa97pEDOxvGuRRgzG64bvtJ0938xuqzv18d3ZpQhstC" },
+			{ "abcdefghijklmnopqrstuvwxyz",
+			"$2a$08$aTsUwsyowQuzRrDqFflhge",
+			"$2a$08$aTsUwsyowQuzRrDqFflhgekJ8d9/7Z3GV3UcgvzQW3J5zMyrTvlz." },
+			{ "abcdefghijklmnopqrstuvwxyz",
+			"$2a$10$fVH8e28OQRj9tqiDXs1e1u",
+			"$2a$10$fVH8e28OQRj9tqiDXs1e1uxpsjN0c7II7YPKXua2NAKYvM6iQk7dq" },
+			{ "abcdefghijklmnopqrstuvwxyz",
+			"$2a$12$D4G5f18o7aMMfwasBL7Gpu",
+			"$2a$12$D4G5f18o7aMMfwasBL7GpuQWuP3pkrZrOAnqP.bmezbMng.QwJ/pG" },
+			{ "~!@#$%^&*()      ~!@#$%^&*()PNBFRD",
+			"$2a$06$fPIsBO8qRqkjj273rfaOI.",
+			"$2a$06$fPIsBO8qRqkjj273rfaOI.HtSV9jLDpTbZn782DC6/t7qT67P6FfO" },
+			{ "~!@#$%^&*()      ~!@#$%^&*()PNBFRD",
+			"$2a$08$Eq2r4G/76Wv39MzSX262hu",
+			"$2a$08$Eq2r4G/76Wv39MzSX262huzPz612MZiYHVUJe/OcOql2jo4.9UxTW" },
+			{ "~!@#$%^&*()      ~!@#$%^&*()PNBFRD",
+			"$2a$10$LgfYWkbzEvQ4JakH7rOvHe",
+			"$2a$10$LgfYWkbzEvQ4JakH7rOvHe0y8pHKF9OaFgwUZ2q7W2FFZmZzJYlfS" },
+			{ "~!@#$%^&*()      ~!@#$%^&*()PNBFRD",
+			"$2a$12$WApznUOJfkEGSmYRfnkrPO",
+			"$2a$12$WApznUOJfkEGSmYRfnkrPOr466oFDCaj4b6HY3EXGvfxm43seyhgC" },
+		};
+
+	/**
+	 * Entry point for unit tests
+	 * @param args unused
+	 */
+	public static void main(String[] args) {
+		junit.textui.TestRunner.run(TestBCrypt.class);
+	}
+
+	/**
+	 * Test method for 'BCrypt.hashpw(String, String)'
+	 */
+	public void testHashpw() {
+		System.out.print("BCrypt.hashpw(): ");
+		for (int i = 0; i < test_vectors.length; i++) {
+			String plain = test_vectors[i][0];
+			String salt = test_vectors[i][1];
+			String expected = test_vectors[i][2];
+			String hashed = BCrypt.hashpw(plain, salt);
+			assertEquals(hashed, expected);
+			System.out.print(".");
+		}
+		System.out.println("");
+	}
+
+	/**
+	 * Test method for 'BCrypt.gensalt(int)'
+	 */
+	public void testGensaltInt() {
+		System.out.print("BCrypt.gensalt(log_rounds):");
+		for (int i = 4; i <= 12; i++) {
+			System.out.print(" " + Integer.toString(i) + ":");
+			for (int j = 0; j < test_vectors.length; j += 4) {
+				String plain = test_vectors[j][0];
+				String salt = BCrypt.gensalt(i);
+				String hashed1 = BCrypt.hashpw(plain, salt);
+				String hashed2 = BCrypt.hashpw(plain, hashed1);
+				assertEquals(hashed1, hashed2);
+				System.out.print(".");
+			}
+		}
+		System.out.println("");
+	}
+
+	/**
+	 * Test method for 'BCrypt.gensalt()'
+	 */
+	public void testGensalt() {
+		System.out.print("BCrypt.gensalt(): ");
+		for (int i = 0; i < test_vectors.length; i += 4) {
+			String plain = test_vectors[i][0];
+			String salt = BCrypt.gensalt();
+			String hashed1 = BCrypt.hashpw(plain, salt);
+			String hashed2 = BCrypt.hashpw(plain, hashed1);
+			assertEquals(hashed1, hashed2);
+			System.out.print(".");
+		}
+		System.out.println("");
+	}
+
+	/**
+	 * Test method for 'BCrypt.checkpw(String, String)'
+	 * expecting success
+	 */
+	public void testCheckpw_success() {
+		System.out.print("BCrypt.checkpw w/ good passwords: ");
+		for (int i = 0; i < test_vectors.length; i++) {
+			String plain = test_vectors[i][0];
+			String expected = test_vectors[i][2];
+			assertTrue(BCrypt.checkpw(plain, expected));
+			System.out.print(".");
+		}
+		System.out.println("");
+	}
+
+	/**
+	 * Test method for 'BCrypt.checkpw(String, String)'
+	 * expecting failure
+	 */
+	public void testCheckpw_failure() {
+		System.out.print("BCrypt.checkpw w/ bad passwords: ");
+		for (int i = 0; i < test_vectors.length; i++) {
+			int broken_index = (i + 4) % test_vectors.length;
+			String plain = test_vectors[i][0];
+			String expected = test_vectors[broken_index][2];
+			assertFalse(BCrypt.checkpw(plain, expected));
+			System.out.print(".");
+		}
+		System.out.println("");
+	}
+
+	/**
+	 * Test for correct hashing of non-US-ASCII passwords
+	 */
+	public void testInternationalChars() {
+		System.out.print("BCrypt.hashpw w/ international chars: ");
+		String pw1 = "ππππππππ";
+		String pw2 = "????????";
+
+		String h1 = BCrypt.hashpw(pw1, BCrypt.gensalt());
+		assertFalse(BCrypt.checkpw(pw2, h1));
+		System.out.print(".");
+
+		String h2 = BCrypt.hashpw(pw2, BCrypt.gensalt());
+		assertFalse(BCrypt.checkpw(pw1, h2));
+		System.out.print(".");
+		System.out.println("");
+	}
+
+}

data/spec/bcrypt/engine_spec.rb

@@ -0,0 +1,82 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "..", "spec_helper"))
+
+describe "The BCrypt engine" do
+  specify "should calculate the optimal cost factor to fit in a specific time" do
+    first = BCrypt::Engine.calibrate(100)
+    second = BCrypt::Engine.calibrate(400)
+    second.should > first
+  end
+end
+
+describe "Generating BCrypt salts" do
+
+  specify "should produce strings" do
+    BCrypt::Engine.generate_salt.should be_an_instance_of(String)
+  end
+
+  specify "should produce random data" do
+    BCrypt::Engine.generate_salt.should_not equal(BCrypt::Engine.generate_salt)
+  end
+
+  specify "should raise a InvalidCostError if the cost parameter isn't numeric" do
+    lambda { BCrypt::Engine.generate_salt('woo') }.should raise_error(BCrypt::Errors::InvalidCost)
+  end
+
+  specify "should raise a InvalidCostError if the cost parameter isn't greater than 0" do
+    lambda { BCrypt::Engine.generate_salt(-1) }.should raise_error(BCrypt::Errors::InvalidCost)
+  end
+end
+
+describe "Autodetecting of salt cost" do
+
+  specify "should work" do
+    BCrypt::Engine.autodetect_cost("$2a$08$hRx2IVeHNsTSYYtUWn61Ou").should eq 8
+    BCrypt::Engine.autodetect_cost("$2a$05$XKd1bMnLgUnc87qvbAaCUu").should eq 5
+    BCrypt::Engine.autodetect_cost("$2a$13$Lni.CZ6z5A7344POTFBBV.").should eq 13
+  end
+
+end
+
+describe "Generating BCrypt hashes" do
+
+  class MyInvalidSecret
+    undef to_s
+  end
+
+  before :each do
+    @salt = BCrypt::Engine.generate_salt(4)
+    @password = "woo"
+  end
+
+  specify "should produce a string" do
+    BCrypt::Engine.hash_secret(@password, @salt).should be_an_instance_of(String)
+  end
+
+  specify "should raise an InvalidSalt error if the salt is invalid" do
+    lambda { BCrypt::Engine.hash_secret(@password, 'nino') }.should raise_error(BCrypt::Errors::InvalidSalt)
+  end
+
+  specify "should raise an InvalidSecret error if the secret is invalid" do
+    lambda { BCrypt::Engine.hash_secret(MyInvalidSecret.new, @salt) }.should raise_error(BCrypt::Errors::InvalidSecret)
+    lambda { BCrypt::Engine.hash_secret(nil, @salt) }.should_not raise_error(BCrypt::Errors::InvalidSecret)
+    lambda { BCrypt::Engine.hash_secret(false, @salt) }.should_not raise_error(BCrypt::Errors::InvalidSecret)
+  end
+
+  specify "should call #to_s on the secret and use the return value as the actual secret data" do
+    BCrypt::Engine.hash_secret(false, @salt).should == BCrypt::Engine.hash_secret("false", @salt)
+  end
+
+  specify "should be interoperable with other implementations" do
+    # test vectors from the OpenWall implementation <http://www.openwall.com/crypt/>
+    test_vectors = [
+      ["U*U", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW"],
+      ["U*U*", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK"],
+      ["U*U*U", "$2a$05$XXXXXXXXXXXXXXXXXXXXXO", "$2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a"],
+      ["", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy"],
+      ["0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", "$2a$05$abcdefghijklmnopqrstuu", "$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui"]
+    ]
+    for secret, salt, test_vector in test_vectors
+      BCrypt::Engine.hash_secret(secret, salt).should eql(test_vector)
+    end
+  end
+end