crypt_checkpass 1 → 2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 189e02218459b7aa4eeb3ff0b6efbecfa49fe612
-  data.tar.gz: 403f8ca9c8a0e0dec7caff6767b7f5075c56ce8c
+  metadata.gz: 3c78a28d5c63b16c2ed28cbc183e8c92885fabd2
+  data.tar.gz: 64bcd424fb5ee0bb15e646ec522fdec98c67f106
 SHA512:
-  metadata.gz: 5b0c2eb040e52fa190fc04089e42c6d3d1f971be6d925ea10d5bb036ea0685607d3b7702eee8b3b579b5a4afd287860a0bad1fae22153837bc2149952e3b42b6
-  data.tar.gz: 5fd897d06a1651e583ebaaf39a66a2d76817fb6a2fe26742c5e77ddf6f378222f371a354e1866c6a9e9ca6593d257a96084ee264b3231a2ca932e04055ad902e
+  metadata.gz: a6b2ca0a274bc8331b0c2df7b3b774f1c778cc3687705088e1315d480301998ae0f9b9e75813694382ee54c5f6d25815a19cb53e0c84d382086d83c123e8dd68
+  data.tar.gz: 607b6f1ae9883d3372e4abaf5a15b87c132cf5972d4c6a1180ec972afce8b6f7aedc2ccaa7d6f6b4aae5ea372e8e13c63978bd6fbe52e71f1471b5ba9b010b4e

data/README.md

@@ -18,7 +18,7 @@ Verification:
 require 'crypt_checkpass'
 actual   = 'p455w0rd'
 expected = '$5$$D1W6NDlv302WsleruXoUN279B87yf6dFN4ZZhFqV6DD'
-crypt_checkpass(actual, expected) or raise 'NG'
+crypt_checkpass?(actual, expected) or raise 'NG'
 ```
 
 Generation:

data/crypt_checkpass.gemspec

@@ -25,7 +25,7 @@
 
 Gem::Specification.new do |spec|
   spec.name          = 'crypt_checkpass'
-  spec.version       = 1
+  spec.version       = 2
   spec.author        = 'Urabe, Shyouhei'
   spec.email         = 'shyouhei@ruby-lang.org'
   spec.summary       = 'provides crypt_checkpass / crypt_newhash'
@@ -52,4 +52,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'yard'
   spec.required_ruby_version =    '>= 2.0.0'
   spec.add_runtime_dependency     'consttime_memequal'
+  spec.add_runtime_dependency     'phc_string_format'
 end

data/lib/crypt_checkpass.rb

@@ -23,7 +23,7 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 
-# Parses what the  given _hash_ is, apply the same  hasing against _pass_, then
+# Parses what the given _hash_ is,  apply the same hashing against _pass_, then
 # compares the hashed _pass_ and the given _hash_.
 #
 # @param pass [String]              password string.
@@ -56,7 +56,7 @@ end
 #
 # @overload crypt_newhash(password, id:, **kwargs)
 #   At least `:id`  argument must be provided  this case, which is  the name of
-#   key deliveration function (the ID that the PHC string format says).
+#   key derivation function (the ID that the PHC string format says).
 #
 #   @param password [String]                 bare, unhashed binary password.
 #   @param id       [String]                 name of the function.

data/lib/crypt_checkpass/api.rb

@@ -189,6 +189,21 @@ class << CryptCheckpass
 
   # @!endgroup
 
+  # @!group PhcStringFormat wrappers
+
+  def phcencode id, params, salt, csum
+    require 'phc_string_format'
+    return PhcStringFormat::Formatter.format \
+      id: id, params: params, salt: salt, hash: csum
+  end
+
+  def phcdecode str
+    require 'phc_string_format'
+    return PhcStringFormat::Formatter.parse str
+  end
+
+  # @!endgroup
+
   def inherited klass
     super
     @kdfs.push klass

data/lib/crypt_checkpass/argon2.rb

@@ -38,9 +38,9 @@
 #   - `password` is the raw binary password that you want to digest.
 #
 #   - `id`  is "argon2i"  when  you want  an argon2  hash.   Due to  underlying
-#     ruby-argons gem's restriction we do not support other argon2 variants.
+#     ruby-argon2 gem's restriction we do not support other argon2 variants.
 #
-#   - `m_cost` and `t_cost` are both integer parameter to the algorighm.
+#   - `m_cost` and `t_cost` are both integer parameter to the algorithm.
 #
 # The generated password hash has following format.
 #
@@ -77,13 +77,13 @@
 #     hash. Variant "argon2i" seems most widely adopted.
 #
 #   - `v` is, when  available, a number 19.  That doesn't  mean anything.  What
-#     is important is the _absense_ of that parameter, which means the hash was
-#     genrated using old argon2 1.0 and shall be out of date.
+#     is important is the _absence_ of that parameter, which means the hash was
+#     generated using old argon2 1.0 and shall be out of date.
 #
 #   - `m` is the  amount of memory filled by the  algorithm (2**m KiB).  Memory
 #     consumption depends on this parameter.
 #
-#   - `t` is  the mumber of passes  over the memory.  The  running time depends
+#   - `t` is  the number of passes  over the memory.  The  running time depends
 #     linearly on this parameter.
 #
 #   - `p` is the degree of parallelism, called "lanes" in the C implementation.

data/lib/crypt_checkpass/pbkdf2.rb

@@ -23,8 +23,6 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 
-require_relative 'phc_string_format'
-
 # PBKDF2 is the most beloved algorithm by security professionals.
 #
 # ### Newhash:
@@ -112,9 +110,9 @@ class CryptCheckpass::PBKDF2 < CryptCheckpass
 
     json     = phcdecode hash
     id       = json[:id]
-    i        = json[:params][:i]
+    i        = json[:params]['i'].to_i
     salt     = json[:salt]
-    expected = json[:csum]
+    expected = json[:hash]
     dklen    = expected.bytesize
     actual   = __derive_key id, i, salt, pass, dklen
 
@@ -144,8 +142,6 @@ end
 
 # helper routines
 class << CryptCheckpass::PBKDF2
-  include CryptCheckpass::PHCStringFormat
-
   private
 
   if RUBY_VERSION >= '2.3.0'

data/lib/crypt_checkpass/scrypt.rb

@@ -24,7 +24,6 @@
 # SOFTWARE.
 
 require 'securerandom'
-require_relative 'phc_string_format'
 
 # This class is to support RFC7914-related hash variants.
 #
@@ -59,7 +58,7 @@ require_relative 'phc_string_format'
 #
 #   - `salt` is the salt string.
 #
-#   - `csum` is the checksum strgng.
+#   - `csum` is the checksum string.
 #
 # All of above fields are represented as hexadecimal numbers.
 #
@@ -158,16 +157,14 @@ end
 
 # helper routines
 class << CryptCheckpass::Scrypt
-  include CryptCheckpass::PHCStringFormat
-
   private
 
   def checkpass_phc pass, hash
     require 'consttime_memequal'
 
     json     = phcdecode hash
-    ln, r, p = json[:params].values_at :ln, :r, :p
-    expected = json[:csum]
+    ln, r, p = json[:params].values_at("ln", "r", "p").map(&:to_i)
+    expected = json[:hash]
     salt     = json[:salt]
     klen     = ::SCrypt::Engine::DEFAULTS[:key_len]
     actual   = ::SCrypt::Engine.scrypt pass, salt, 2 ** ln, r, p, klen

data/lib/crypt_checkpass/sha2.rb

@@ -23,7 +23,7 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 
-# The sha256cyrpt /  sha512crypt by Ulrich Drepper.   Default for `/etc/shadow`
+# The sha256crypt /  sha512crypt by Ulrich Drepper.   Default for `/etc/shadow`
 # of most Linux distributions.  Also no security flaws are known at the moment.
 #
 # ### Newhash:
@@ -46,7 +46,7 @@
 #
 # ### Format:
 #
-# Hash strings generated by sha256cyrpt is construted like this:
+# Hash strings generated by sha256crypt is constructed like this:
 #
 # ```ruby
 # %r{
@@ -63,7 +63,7 @@
 # }x
 # ```
 #
-# That of sha512crypt is construted like this:
+# That of sha512crypt is constructed like this:
 #
 # ```ruby
 # %r{
@@ -80,7 +80,7 @@
 # }x
 # ```
 #
-# - `id` is 5 for sha256cyrpt, 6 for sha512crypt.
+# - `id` is 5 for sha256crypt, 6 for sha512crypt.
 #
 # - `rounds` is, if  present, the stretch rounds in decimal  integer. Should be
 #   in range of 1,000 to 999,999,999 inclusive.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: crypt_checkpass
 version: !ruby/object:Gem::Version
-  version: '1'
+  version: '2'
 platform: ruby
 authors:
 - Urabe, Shyouhei
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-25 00:00:00.000000000 Z
+date: 2018-06-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -150,6 +150,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: phc_string_format
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Check password hash, like OpenBSD's crypt_checkpass(3) / PHP's password_verify()
 email: shyouhei@ruby-lang.org
 executables: []
@@ -171,7 +185,6 @@ files:
 - lib/crypt_checkpass/argon2.rb
 - lib/crypt_checkpass/bcrypt.rb
 - lib/crypt_checkpass/pbkdf2.rb
-- lib/crypt_checkpass/phc_string_format.rb
 - lib/crypt_checkpass/scrypt.rb
 - lib/crypt_checkpass/sha2.rb
 homepage: https://github.com/shyouhei/crypt_checkpass
@@ -194,7 +207,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2.2
+rubygems_version: 2.2.5
 signing_key: 
 specification_version: 4
 summary: provides crypt_checkpass / crypt_newhash

data/lib/crypt_checkpass/phc_string_format.rb

@@ -1,180 +0,0 @@
-#! /your/favourite/path/to/ruby
-# -*- mode: ruby; coding: utf-8; indent-tabs-mode: nil; ruby-indent-level: 2 -*-
-# -*- frozen_string_literal: true -*-
-# -*- warn_indent: true -*-
-
-# Copyright (c) 2018 Urabe, Shyouhei
-#
-# Permission is hereby granted, free of  charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction,  including without limitation the rights
-# to use,  copy, modify,  merge, publish,  distribute, sublicense,  and/or sell
-# copies  of the  Software,  and to  permit  persons to  whom  the Software  is
-# furnished to do so, subject to the following conditions:
-#
-#       The above copyright notice and this permission notice shall be
-#       included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE  IS PROVIDED "AS IS",  WITHOUT WARRANTY OF ANY  KIND, EXPRESS OR
-# IMPLIED,  INCLUDING BUT  NOT LIMITED  TO THE  WARRANTIES OF  MERCHANTABILITY,
-# FITNESS FOR A  PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO  EVENT SHALL THE
-# AUTHORS  OR COPYRIGHT  HOLDERS  BE LIABLE  FOR ANY  CLAIM,  DAMAGES OR  OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-# SOFTWARE.
-
-# Helper module to handle PHC String Format-compatible strings
-#
-# @note Argon2, which  is the winner of  PHC, ignores this format  and go wild.
-#       It is  highly skeptical  that any  other hash  authors would  switch to
-#       PHC's recommendation.
-#
-# ### Format
-#
-# This is how we understand the PHC String Format:
-#
-# ```ruby
-# %r{
-#   (?<name>    [a-z0-9-]{,32}              ){0}
-#   (?<decimal> 0|-?[1-9][0-9]*             ){0}
-#   (?<b64>     [a-zA-Z0-9/+.-]*            ){0}
-#
-#   (?<id>      \g<name>                    ){0}
-#   (?<param>   \g<name>                    ){0}
-#   (?<value>   \g<decimal> | \g<b64>       ){0}
-#   (?<salt>    \g<b64>                     ){0}
-#   (?<csum>    \g<b64>                     ){0}
-#   (?<pair>    \g<param> = \g<value>       ){0}
-#   (?<pairs>   \g<pair> (?:[,] \g<pair> )* ){0}
-#
-#   \A [$] \g<id>
-#      [$] \g<pairs>
-#      [$] \g<salt>
-#      [$] \g<csum>
-#   \z
-# }x
-# ```
-# 
-#   - `id` is the name of the algorithm.
-#
-#   - `pairs` is a set of key-value pair, that are parameters to the
-#      algorithm.  Keys should be human-readable, while values need not be.
-#
-#   - `salt` and `csum` are the salt and checksum strings.  Both are encoded in
-#     what the spec says the "B64"  encoding, which is a very slightly modified
-#     version  of  RFC4648 (no  trailing  ==...  padding).   They both  can  be
-#     arbitrary length.
-#
-# @see https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
-module CryptCheckpass::PHCStringFormat
-  private
-
-  # B64 encoder
-  # @param str [String] arbitrary binary string.
-  # @return    [String] str, encoded in B64.
-  def b64encode str
-    var = [ str ].pack 'm0'
-    var.delete! '='
-    return var
-  end
-
-  if RUBY_VERSION >= '2.4.0' then
-    def malloc n
-      String.new capacity: n
-    end
-  else
-    def malloc n
-      String.new
-    end
-  end
-
-  # B64 decoder
-  # @param str [String]        str, encoded in B64.
-  # @return    [String]        decoded binary string
-  # @raise     [ArgumentError] str not in B64 encoding.
-  def b64decode str
-    return nil if str.nil? 
-    n, m = str.length.divmod 4
-    raise ArgumentError, <<-"end".strip, str.length if m == 1
-      malformed string of %d octets passed.
-    end
-    buf = malloc(n * 4)
-    buf << str
-    buf << ('=' * ((4 - m) % 4))
-    return buf.unpack('m0').first
-  end
-
-  # Form a PHC String Formatted string.
-  # @return        [String]              a PHC String Formatted string.
-  # @param  id     [String]              name of hash algorithm.
-  # @param  params [<<String, Integer>>] hash algorithm parameters.
-  # @param  salt   [String]              raw binary salt.
-  # @param  csum   [String]              raw binary checksum
-  # @note   The spec says:
-  #
-  #         > The  function MUST  specify  the order  in  which parameters  may
-  #         > appear.  Producers MUST  NOT allow  parameters to  appear in  any
-  #         > other order.
-  #
-  #         Ensuring that property is up to the caller of this method.
-  def phcencode id, params, salt, csum
-    return [
-      '',
-      id,
-      params.map {|a| a.join '=' }.join(','),
-      b64encode(salt),
-      b64encode(csum)
-    ].join('$')
-  end
-
-  # Decompose a PHC String Formatted string.
-  # @param str [String]        str, encoded in PHC's format.
-  # @return    [Hash]          decoded JSON.
-  def phcdecode str
-    grammar = %r{
-      (?<name>    [a-z0-9-]{,32}              ){0}
-      (?<decimal> 0|-?[1-9][0-9]*             ){0}
-      (?<b64>     [a-zA-Z0-9/+.-]*            ){0}
-
-      (?<id>      \g<name>                    ){0}
-      (?<param>   \g<name>                    ){0}
-      (?<value>   \g<decimal> | \g<b64>       ){0}
-      (?<salt>    \g<b64>                     ){0}
-      (?<csum>    \g<b64>                     ){0}
-      (?<pair>    \g<param> = \g<value>       ){0}
-      (?<pairs>   \g<pair> (?:[,] \g<pair> )* ){0}
-    }x
-
-    md = %r{
-      #{grammar}
-
-      \A [$] \g<id>
-         [$] \g<pairs>
-         [$] \g<salt>
-         [$] \g<csum>
-      \z
-    }xo.match str
-    raise "not in PHC String Format: %p", str unless md
-
-    return {
-      id:     md['id'],
-      params: md['pairs']     \
-              . split(',', -1) \
-              . map {|i|
-                  m = /#{grammar}\A\g<pair>\z/o.match i
-                  next [
-                    m['param'],
-                    m['decimal'] ? m['decimal'].to_i : m['b64']
-                  ]
-              }.each_with_object({}) {|(k, v), h|
-                  h.update(k.to_s.to_sym => v) { |_, w, _|
-                    raise <<-"end".strip, md['params'], k, v, w
-                      %p includes conflicting values for %p: %p versus %p
-                    end
-                  }
-              }, 
-      salt:   b64decode(md['salt']),
-      csum:   b64decode(md['csum']),
-    }
-  end
-end