RubyGems - fast-aes - Versions diffs - 0.1.1 → 0.1.2 - Mend

fast-aes 0.1.1 → 0.1.2

Files changed (8) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ce9431b455072259499c70fc70e332eb875d7c6f
+  data.tar.gz: 46506253d61cc6bb077a9d8f99196c412f8be968
+SHA512:
+  metadata.gz: f49c22bd080b343cad1459e9cb211915d0d3ccaf517209fd8cfd13f942b7f8be3e5702cf7fcb22152b68c75d7f9e9dcc40c2e5dedc51dca3290e8dc54a04702a
+  data.tar.gz: 96e7bff7d5a967ac76ea52fb6420dba805b1067bc7c85166984540d125adfcd8c8a1e4c1dbc3f94ed792e4e267753b0fc7b2f86750806670c5ef69fba875e162

data/README.md ADDED

@@ -0,0 +1,128 @@
+# FastAES - Simple but LOW security AES gem
+**This gem is a relic from 5 years ago, when libraries such as OpenSSL did not work correctly with Ruby.**
+**Use in new projects is strongly discouraged. The core Ruby OpenSSL library is faster and more secure.**
+## Replacement Code
+Refer to the [Ruby OpenSSL documentation](http://ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL.html)
+for details on how to leverage AES in Ruby:
+    cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+    cipher.encrypt
+    iv = cipher.random_iv
+    pwd = 'some hopefully not too guessable password'
+    salt = OpenSSL::Random.random_bytes 16
+    iter = 20000
+    key_len = cipher.key_len
+    digest = OpenSSL::Digest::SHA256.new
+    key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
+    cipher.key = key
+    # Now encrypt the data:
+    encrypted = cipher.update document
+    encrypted << cipher.final
+As mentioned, alot has changed in the **5+ years** since this gem was written.  Please do not use it anymore.
+### Security Notice
+A while back a [github issue](https://github.com/nateware/fast-aes/issues/2) was filed highlighting
+that this gem supports ECB and not the (significantly) more secure CBC method.  You can read more details
+on [Wikipedia's ECB writeup](http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29).
+From the article:
+> The disadvantage [of ECB] is that identical plaintext blocks are encrypted into
+> identical ciphertext blocks; thus, it does not hide data patterns well. In some senses,
+> it doesn't provide serious message confidentiality, and it is not recommended for use in
+> cryptographic protocols at all.
+If you're concerned about security, you need take responsibility for verifying whether this
+gem meets your requirements.  It probably does not.
+## Original Intro
+This is a simple implementation of AES (the US government's Advanced Encryption Standard,
+aka "Rijndael"), written in C for speed.  You can read more on the
+[Wikipedia AES Page](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard).
+The algorithm itself was extracted from work by Christophe Devine for the open source Netcat clone
+[sbd](http://www.cycom.se/dl/sbd).
+This code supports the main features of AES, specifically:
+- 128, 192, and 256-bit ciphers
+- Electronic Codebook (ECB) mode only - *see* *Security* *Note*
+- Encrypted blocks are padded at 16-bit boundaries ([read more on padding](http://www.di-mgt.com.au/cryptopad.html#whatispadding))
+You can read specifics about AES-ECB in the IPSec-related [RFC 3602](http://www.rfc-archive.org/getrfc.php?rfc=3602).
+### Example
+Basic encryption/decryption with this gem:
+    require 'fast-aes'
+    # key can be 128, 192, or 256 bits
+    key = '42#3b%c$dxyT,7a5=+5fUI3fa7352&^:'
+    aes = FastAES.new(key)
+    text = "Hey there, how are you?"
+    data = aes.encrypt(text)
+    puts aes.decrypt(data)   # "Hey there, how are you?"
+## Why AES?
+### SSL vs AES
+I'm going to guess you're using Ruby with Rails, which means you're doing 90+% web development.
+In that case, if you need security, SSL is the obvious choice (and the right one).
+But there will probably come a time, padawan, when you need a couple backend servers to talk -
+maybe job servers, or an admin port, or whatever.  Maybe even a simple chat server.
+You can setup SSL certificates for this but there's a good amount of maintenance overhead there.
+Or, you can directly use an encryption algorithm, such as AES.  Setting up an SSH tunnel is another
+alternative, if you control both systems.  I think it's easier to configure encryption as part of
+your application, rather than having to mess with each individual system, but that's me.
+For more information on how SSL/AES/RC4/TLS all interact,
+[read this article on SSL and AES](http://luxsci.com/blog/256-bit-aes-encryption-for-ssl-and-tls-maximal-security.html)
+### AES vs Other Encryption Standards
+There are a bizillion (literally!) different encryption standards out there.  If you have
+a PhD, and can't find a job, writing an encryption algorithm is a good thing to put on your resume -
+on the outside chance that someone will hire you and use it.  If you don't possess the talent to
+write an encryption standard, you can spend hours trying to crack one - for similar reasons.  As a
+result, of the many encryption alternatives, most are either (a) cracked or (b) covered by patents.
+Personally, when it comes to encryption, I think choosing what the US government chooses is a decent
+choice.  They tend to be "security conscious."
+## Author
+Original AES C reference code by Christophe Devine.  Thanks Christophe!
+This gem copyright (c) 2010-2011 [Nate Wiger](http://nateware.com).  Released under the MIT License.
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
+associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute,
+sublicense, and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
+BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile ADDED

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+desc "run all the specs"
+task :test do
+  sh "rspec"
+end
+task :default => :test

data/ext/fast_aes.c CHANGED

@@ -16,6 +16,7 @@
 /* Global boolean */
 int fast_aes_do_gen_tables = 1;
+int fast_aes_printed_deprecation_notice = 0;
 /* Old school.  Oh yeah */
 #ifndef RSTRING_PTR
@@ -95,11 +96,26 @@ VALUE fast_aes_initialize(VALUE self, VALUE key)
             /*printf("AES key=%s, bits=%d\n", fast_aes->key, fast_aes->key_bits);*/
             break;
         default:
-                        sprintf(error_mesg, "AES key must be 128, 192, or 256 bits in length (got %d): %s", key_bits, key_data);
-            rb_raise(rb_eArgError, error_mesg);
+            sprintf(error_mesg, "AES key must be 128, 192, or 256 bits in length (got %d): %s", key_bits, key_data);
+            rb_raise(rb_eArgError, "%s", error_mesg);
             return Qnil;
     }
+    /* Deprecation warning */
+    if (! fast_aes_printed_deprecation_notice) {
+        fprintf(stderr,
+            "*************************************************************************************\n"
+            "* WARNING: The Ruby fast-aes gem is insecure and should NOT be used!                *\n"
+            "* Please switch to: http://ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL.html *\n"
+            "* If this message is a mystery, you have a gem that depends on fast-aes             *\n"
+            "* Check your Gemfile.lock for any gems that depend on fast-aes                      *\n"
+            "* To silence this message, you can lock fast-aes to version = 0.1.1 in your Gemfile *\n"
+            "*************************************************************************************\n"
+            "\n"
+        );
+        fast_aes_printed_deprecation_notice = 1;
+    }
     if (fast_aes_initialize_state(fast_aes)) {
         rb_raise(rb_eRuntimeError, "Failed to initialize AES internal state");
         return Qnil;
@@ -250,8 +266,8 @@ VALUE fast_aes_decrypt(
     /*//////////////////////////////////////////////////////////////////////////
     ////////////////////////////////////////////////////////////////////////////
     // Strip trailing zeros, simple but effective.  This is something fucking
-		// loose-cannon rjc couldn't figure out despite being a "genius".  He needs
-		// a punch in the junk, I swear to god.
+        // loose-cannon rjc couldn't figure out despite being a "genius".  He needs
+        // a punch in the junk, I swear to god.
     */
     while (puiNumBytesOut > 0) {
         if (pDataOut[puiNumBytesOut - 1] != 0) break;

data/spec/fast_aes_spec.rb CHANGED

@@ -1,3 +1,4 @@
+require "#{File.dirname(__FILE__)}/spec_helper"
 $LOAD_PATH.unshift "#{File.dirname(__FILE__)}/../ext/#{RUBY_PLATFORM}"

data/spec/spec_helper.rb ADDED

@@ -0,0 +1,75 @@
+# This file was generated by the `rails generate rspec:install` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause this
+# file to always be loaded, without a need to explicitly require it in any files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, make a
+# separate helper file that requires this one and then use it only in the specs
+# that actually need it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    expectations.syntax = [:expect, :should]
+  end
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Enable only the newer, non-monkey-patching expect syntax.
+    # For more details, see:
+    #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+    mocks.syntax = :expect
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended.
+    mocks.verify_partial_doubles = true
+  end
+end

metadata CHANGED

@@ -1,70 +1,57 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: fast-aes
-version: !ruby/object:Gem::Version
-  prerelease: false
-  segments:
-  - 0
-  - 1
-  - 1
-  version: 0.1.1
+version: !ruby/object:Gem::Version
+  version: 0.1.2
 platform: ruby
-authors:
+authors:
 - Nate Wiger
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2010-03-17 00:00:00 -07:00
-default_executable:
+date: 2014-09-11 00:00:00.000000000 Z
 dependencies: []
-description: Fast AES implementation in C.  Works with Ruby 1.8 and 1.9.
-email: nate@wiger.org
+description: Simple but LOW security AES gem - OBSOLETE.
+email: nwiger@gmail.com
 executables: []
-extensions:
+extensions:
 - ext/extconf.rb
-extra_rdoc_files:
-- README.rdoc
-files:
+extra_rdoc_files:
+- Rakefile
+- README.md
+files:
+- README.md
+- Rakefile
 - ext/extconf.rb
 - ext/fast_aes.c
 - ext/fast_aes.h
 - lib/fast-aes.rb
 - lib/fast_aes_static.rb
 - spec/fast_aes_spec.rb
+- spec/spec_helper.rb
 - test/benchmark.rb
-- README.rdoc
-has_rdoc: true
 homepage: http://github.com/nateware/fast-aes
 licenses: []
+metadata: {}
 post_install_message:
-rdoc_options:
-- --title
-- FastAES -- Fast AES implementation for Ruby in C
-require_paths:
+rdoc_options:
+- "--title"
+- Simple but LOW security AES gem - OBSOLETE
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  requirements:
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version
-      segments:
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
-  requirements:
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version
-      segments:
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project: fast-aes
-rubygems_version: 1.3.6
+rubygems_version: 2.2.2
 signing_key:
-specification_version: 3
-summary: Fast AES implementation in C.  Works with Ruby 1.8 and 1.9
+specification_version: 4
+summary: Simple but LOW security AES gem - OBSOLETE
 test_files: []

data/README.rdoc DELETED

@@ -1,113 +0,0 @@
-= FastAES - Fast AES implementation for Ruby in C
-This is a lightweight, fast implementation of AES (the US government's Advanced Encryption Standard,
-aka "Rijndael"), written in C for speed.  You can read more on the {Wikipedia AES Page}[http://en.wikipedia.org/wiki/Advanced_Encryption_Standard].
-The algorithm itself was extracted from work by Christophe Devine for the open source Netcat clone
-{sbd}[http://www.cycom.se/dl/sbd]. According to the community, this is
-{one of the best performing AES implementations available}[http://www.derkeiler.com/Newsgroups/sci.crypt/2003-07/0162.html]:
-    > With some exceptions your code performs better than all others in
-    > enc[ryption]/dec[ryption]. Do you have an explanation of that fact? Thanks.
-    >
-    Well, I've tried to make the code as simple and straightforward as
-    possible; I also used a few basic tricks, like loop unrolling.
-This gem supports the most important features of AES, specifically:
-* 128, 192, and 256-bit ciphers
-* Cipher Block Chaining (CBC) mode only
-* Encrypted blocks are padded at 16-bit boundaries ({read more on padding}[http://www.di-mgt.com.au/cryptopad.html#whatispadding])
-You can read specifics about AES-CBC in the IPSec-related {RFC 3602}[http://www.rfc-archive.org/getrfc.php?rfc=3602],
-if you really care that much.
-Bottom line, this gem works.  Fast.
-=== Other Ruby AES gems
-I couldn't find any that worked worth a crap.  The {ruby-aes}[http://rubyforge.org/projects/ruby-aes/]
-project has Ruby 1.9 bugs that have been open over _two_ _years_ now, {crypt/rijndael}[http://crypt.rubyforge.org/rijndael.html]
-doesn't work on Ruby 1.9 and is slooow (as it's written in Ruby), and some people even report getting
-{inconsistent encryption results from other libraries}[http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/228214].
-So I grabbed some C reference code, wrapped a Ruby interface around it, and voíla.
-C'mon people, it's not that hard.  It's called Google.  In my day, you had to actually *WRITE* the code.
-== Installation
-  gem install fast-aes
-== Example
-Simple encryption/decryption:
-  require 'fast-aes'
-  # key can be 128, 192, or 256 bits
-  key = '42#3b%c$dxyT,7a5=+5fUI3fa7352&^:'
-  aes = FastAES.new(key)
-  text = "Hey there, how are you?"
-  data = aes.encrypt(text)
-  puts aes.decrypt(data)   # "Hey there, how are you?"
-Pretty simple, jah?
-== Why AES?
-=== SSL vs AES
-I'm going to guess you're using Ruby with Rails, which means you're doing 90+% web development.
-In that case, if you need security, SSL is the obvious choice (and the right one).
-But there will probably come a time, padawan, when you need a couple backend servers to talk -
-maybe job servers, or an admin port, or whatever.  Maybe even a simple chat server.
-You can setup SSL certificates for this if you want it to be time-consuming to maintain.
-Or you can directly use an encryption algorithm, such as AES.  Setting up an SSH tunnel is another
-good alternative, if you control both systems.  I think it's easier to configure encryption keys
-as part of your application, rather than having to mess with each individual system, but that's me.
-For more information on how SSL/AES/RC4/TLS all interact,
-{read this article on SSL and AES}[http://luxsci.com/blog/256-bit-aes-encryption-for-ssl-and-tls-maximal-security.html]
-=== AES vs Other Encryption Standards
-There are a bizillion (literally!) different encryption standards out there.  If you have
-a PhD, and can't find a job, writing an encryption algorithm is a good thing to put on your resume -
-on the outside chance that someone will hire you and use it.  If you don't possess the talent to
-write an encryption standard, you can spend hours trying to crack one - for similar reasons.  As a
-result, of the many encryption alternatives, most are either (a) cracked or (b) covered by patents.
-Personally, when it comes to encryption, I think choosing what the US government chooses is a decent
-choice.  They tend to be "security conscious."
-=== Special Note
-As this software deals with encryption/decryption, please note there is *NO* *WARRANTY*, not even
-with regards to FITNESS FOR A PARTICULAR PURPOSE or NONINFRINGEMENT.  This means if you use this
-library, and it turns out there's a flaw in the implementation that results in your data being
-hacked, *IT* *IS* *NOT* *MY* *FAULT*.  It's YOUR responsibility to check the implementation of this
-library and algorithm.  If you can't understand C code, that's NOT MY PROBLEM.
-== Author
-Original AES C reference code by Christophe Devine.  Thanks Christophe!
-This gem copyright (c) 2010 {Nate Wiger}[http://nate.wiger.org].  Released under the MIT License.
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation
-files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
-copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the
-Software is furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
-OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.