go_secure 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e03f684aa71c0ea293b16228ef7ddb2a49cec19b
+  data.tar.gz: efca779a729154a524e2c3b9cb6fa76db0dfba80
+SHA512:
+  metadata.gz: 20d03c5c5e05a8d494c7e267016954b0523ba5ae1fe0135c9428331adcee562681295cc037e4a71d97bd3d39a7f1a90cf8a319894a0b09fd7b73334c0e275bd6
+  data.tar.gz: 6d702b2fcff177d7ed53fbb9b634ab6fa48debfb19d49da3b567f5ee3ca99ccc7aac12006fb4f11b9335d5553974c46b1dd6662ebb5807e0ada4d440f385d943

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 CoughDrop
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
+Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1 @@
+Security helper gem, used by multiple CoughDrop libraries

data/lib/go_secure.rb

@@ -0,0 +1,135 @@
+require 'openssl'
+
+module GoSecure
+  def self.sha512(str, salt, encryption_key=nil)
+    Digest::SHA512.hexdigest(str.to_s + salt.to_s + (encryption_key || self.encryption_key))
+  end
+  
+  def self.nonce(str)
+    Digest::SHA512.hexdigest(str.to_s + Time.now.to_i.to_s + rand(999999).to_s + self.encryption_key)[0, 24]
+  end
+  
+  def self.encrypt(str, ref, encryption_key=nil)
+    require 'base64'
+    c = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
+    c.encrypt
+    c.key = Digest::SHA2.hexdigest(ref + "_" + (encryption_key || self.encryption_key))
+    c.iv = iv = c.random_iv
+    e = c.update(str)
+    e << c.final
+    res = [Base64.encode64(e), Base64.encode64(iv)]
+    res
+  end
+  
+  def self.decrypt(str, salt, ref, encryption_key=nil)
+    require 'base64'
+    c = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
+    c.decrypt
+    c.key = Digest::SHA2.hexdigest(ref + "_" + (encryption_key || self.encryption_key))
+    c.iv = Base64.decode64(salt)
+    d = c.update(Base64.decode64(str))
+    d << c.final
+    d.to_s
+  end
+  
+  def self.generate_password(password)
+    raise "password required" if password == nil || password.length == 0
+    pw = {}
+#     pw['hash_type'] = 'sha512'
+#     pw['hash_type'] = 'bcrypt'
+    pw['hash_type'] = 'pbkdf2-sha256'
+    pw['salt'] = Digest::MD5.hexdigest(OpenSSL::Random.pseudo_bytes(4) + Time.now.to_i.to_s + self.encryption_key + "pw" + OpenSSL::Random.pseudo_bytes(16))
+#     pw['hashed_password'] = Digest::SHA512.hexdigest(self.encryption_key + pw['salt'] + password.to_s)
+#     salted = Digest::SHA256.hexdigest(self.encryption_key + pw['salt'] + password.to_s)
+#     pw['hashed_password'] = BCrypt::Password.create(salted)
+    digest = OpenSSL::Digest::SHA256.new
+    pw['hashed_password'] = Base64.encode64(OpenSSL::PKCS5.pbkdf2_hmac(password.to_s, pw['salt'], 100000, digest.digest_length, digest))
+    pw
+  end
+  
+  def self.outdated_password?(password_hash)
+    return password_hash && password_hash['hash_type'] != 'pbkdf2-sha256'
+  end
+  
+  def self.matches_password?(attempt, password_hash)
+    if password_hash && password_hash['hash_type'] == 'sha512' && password_hash['salt']
+      str = Digest::SHA512.hexdigest(self.encryption_key + password_hash['salt'] + attempt.to_s)
+      res = str == password_hash['hashed_password']
+      if !res && password_hash['old_passwords']
+        # TODO: support for migrating to new hashing algorithms
+      else
+        res
+      end
+    elsif password_hash && password_hash['hash_type'] == 'bcrypt' && password_hash['salt']
+      pw = BCrypt::Password.new(password_hash['hashed_password'])
+      salted = Digest::SHA256.hexdigest(self.encryption_key + password_hash['salt'] + attempt.to_s)
+      res = pw == salted
+    elsif password_hash && password_hash['hash_type'] == 'pbkdf2-sha256' && password_hash['salt']
+      digest = OpenSSL::Digest::SHA256.new
+      str = Base64.encode64(OpenSSL::PKCS5.pbkdf2_hmac(attempt.to_s, password_hash['salt'], 100000, digest.digest_length, digest))
+      res = str == password_hash['hashed_password']
+    else
+      false
+    end
+  end
+  
+  def self.validate_encryption_key
+    if !self.encryption_key || self.encryption_key.length < 24
+      raise "SECURE_ENCRYPTION_KEY env variable should be at least 24 characters"
+    end
+    return if !ActiveRecord::Base.connection.data_source_exists?('settings')
+    config_hash = Digest::SHA1.hexdigest(self.encryption_key)
+    stored_hash = Setting.get('encryption_hash')
+    return if stored_hash == config_hash
+
+    if stored_hash.nil?
+      Setting.set('encryption_hash', config_hash);
+    else
+      raise "SECURE_ENCRYPTION_KEY env variable doesn't match the value stored in the database." +  
+       " If this is intentional you can try DELETE FROM settings WHERE key='encryption_hash' to reset."
+    end
+  end
+
+  def self.encryption_key
+    ENV['SECURE_ENCRYPTION_KEY']
+  end
+  
+  def self.browser_token
+    # TODO: checks around whether it's actually a web browser??
+    stamp = Time.now.strftime('%Y%j')
+    stamp += '-' + GoSecure.sha512(stamp, 'browser_token')
+  end
+  
+  def self.valid_browser_token_signature?(token)
+    stamp, hash = token.split(/-/, 2)
+    return hash == GoSecure.sha512(stamp, 'browser_token')
+  end
+  
+  def self.valid_browser_token?(token)
+    return false if !token || token.length == 0 || !token.match(/-/)
+    stamp, hash = token.split(/-/, 2)
+    if Time.now.strftime('%Y%j').to_i - stamp.to_i < 14 # 14 days?!
+      return valid_browser_token_signature?(token)
+    end
+    false
+  end
+  
+  module SecureJson
+    def self.load(str)
+      return nil unless str
+      salt, secret = str.split(/--/, 2)
+      JSON.load(GoSecure.decrypt(secret, salt, "secure_json"))
+    end
+  
+    def self.dump(obj)
+      json = JSON.dump(obj)
+      res = encrypted_dump(json)
+      res
+    end
+  
+    def self.encrypted_dump(json)
+      secret, salt = GoSecure.encrypt(json, "secure_json")
+      salt + "--" + secret
+    end
+  end
+end

metadata

@@ -0,0 +1,75 @@
+--- !ruby/object:Gem::Specification
+name: go_secure
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- Brian Whitmer
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-07-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby-debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Security helper gem, used by multiple CoughDrop libraries
+email: brian.whitmer@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE
+files:
+- LICENSE
+- README.md
+- lib/go_secure.rb
+homepage: https://github.com/CoughDrop/obf
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2
+signing_key: 
+specification_version: 4
+summary: Go Secure
+test_files: []