passwordping 1.0.0 → 1.0.1

data/ext/digest/whirlpool/whirlpool-portability.h

@@ -0,0 +1,142 @@
+/**
+ * The Whirlpool hashing function.
+ *
+ * The Whirlpool algorithm was developed by
+ * Paulo S. L. M. Barreto and Vincent Rijmen.
+ *
+ * See
+ *      P.S.L.M. Barreto, V. Rijmen,
+ *      ``The Whirlpool hashing function,''
+ *      NESSIE submission, 2000 (tweaked version, 2001),
+ *      <https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/whirlpool.zip>
+ *
+ * @version 3.0 (2003.03.12)
+ *
+ * Modified for use in this software package.
+ */
+
+#ifndef _WHIRLPOOL_PORTABILITY_H_
+#define _WHIRLPOOL_PORTABILITY_H_
+
+/* Definition of minimum-width integer types
+ * 
+ * u8   -> unsigned integer type, at least 8 bits, equivalent to unsigned char
+ * u16  -> unsigned integer type, at least 16 bits
+ * u32  -> unsigned integer type, at least 32 bits
+ *
+ * s8, s16, s32  -> signed counterparts of u8, u16, u32
+ *
+ * Always use macro's T8(), T16() or T32() to obtain exact-width results,
+ * i.e., to specify the size of the result of each expression.
+ */
+
+typedef signed char s8;
+typedef unsigned char u8;
+
+#if UINT_MAX >= 4294967295UL
+
+typedef signed short s16;
+typedef signed int s32;
+typedef unsigned short u16;
+typedef unsigned int u32;
+
+#define ONE32   0xffffffffU
+
+#else
+
+typedef signed int s16;
+typedef signed long s32;
+typedef unsigned int u16;
+typedef unsigned long u32;
+
+#define ONE32   0xffffffffUL
+
+#endif
+
+#define ONE8    0xffU
+#define ONE16   0xffffU
+
+#define T8(x)   ((x) & ONE8)
+#define T16(x)  ((x) & ONE16)
+#define T32(x)  ((x) & ONE32)
+
+#ifdef _MSC_VER
+typedef unsigned __int64 u64;
+typedef signed __int64 s64;
+#define LL(v)   (v##i64)
+#define ONE64   LL(0xffffffffffffffff)
+#else  /* !_MSC_VER */
+typedef unsigned long long u64;
+typedef signed long long s64;
+#define LL(v)   (v##ULL)
+#define ONE64   LL(0xffffffffffffffff)
+#endif /* ?_MSC_VER */
+#define T64(x)  ((x) & ONE64)
+#define ROTR64(v, n)   (((v) >> (n)) | T64((v) << (64 - (n))))
+/*
+ * Note: the test is used to detect native 64-bit architectures;
+ * if the unsigned long is strictly greater than 32-bit, it is
+ * assumed to be at least 64-bit. This will not work correctly
+ * on (old) 36-bit architectures (PDP-11 for instance).
+ *
+ * On non-64-bit architectures, "long long" is used.
+ */
+
+/*
+ * U8TO32_BIG(c) returns the 32-bit value stored in big-endian convention
+ * in the unsigned char array pointed to by c.
+ */
+#define U8TO32_BIG(c)  (((u32)T8(*(c)) << 24) | ((u32)T8(*((c) + 1)) << 16) | ((u32)T8(*((c) + 2)) << 8) | ((u32)T8(*((c) + 3))))
+
+/*
+ * U8TO32_LITTLE(c) returns the 32-bit value stored in little-endian convention
+ * in the unsigned char array pointed to by c.
+ */
+#define U8TO32_LITTLE(c)  (((u32)T8(*(c))) | ((u32)T8(*((c) + 1)) << 8) | (u32)T8(*((c) + 2)) << 16) | ((u32)T8(*((c) + 3)) << 24))
+
+/*
+ * U8TO32_BIG(c, v) stores the 32-bit-value v in big-endian convention
+ * into the unsigned char array pointed to by c.
+ */
+#define U32TO8_BIG(c, v)    do { u32 x = (v); u8 *d = (c); d[0] = T8(x >> 24); d[1] = T8(x >> 16); d[2] = T8(x >> 8); d[3] = T8(x); } while (0)
+
+/*
+ * U8TO32_LITTLE(c, v) stores the 32-bit-value v in little-endian convention
+ * into the unsigned char array pointed to by c.
+ */
+#define U32TO8_LITTLE(c, v)    do { u32 x = (v); u8 *d = (c); d[0] = T8(x); d[1] = T8(x >> 8); d[2] = T8(x >> 16); d[3] = T8(x >> 24); } while (0)
+
+/*
+ * ROTL32(v, n) returns the value of the 32-bit unsigned value v after
+ * a rotation of n bits to the left. It might be replaced by the appropriate
+ * architecture-specific macro.
+ *
+ * It evaluates v and n twice.
+ *
+ * The compiler might emit a warning if n is the constant 0. The result
+ * is undefined if n is greater than 31.
+ */
+#define ROTL32(v, n)   (T32((v) << (n)) | ((v) >> (32 - (n))))
+
+/*
+ * Whirlpool-specific definitions.
+ */
+
+#define DIGESTBYTES WP_DIGEST_SIZE
+#define DIGESTBITS  (8*DIGESTBYTES) /* 512 */
+
+#define WBLOCKBYTES 64
+#define WBLOCKBITS  (8*WBLOCKBYTES) /* 512 */
+
+#define LENGTHBYTES 32
+#define LENGTHBITS  (8*LENGTHBYTES) /* 256 */
+
+struct WP_Struct {
+	u8  bitLength[LENGTHBYTES]; /* global number of hashed bits (256-bit counter) */
+	u8  buffer[WBLOCKBYTES];	/* buffer of data to hash */
+	int bufferBits;		        /* current number of bits on the buffer */
+	int bufferPos;		        /* current (possibly incomplete) byte slot on the buffer */
+	u64 hash[DIGESTBYTES/8];    /* the hashing state */
+};
+
+#endif

data/ext/digest/whirlpool/whirlpool.c

@@ -0,0 +1,51 @@
+/************************************************
+
+  whirlpool.c - provides Digest::Whirlpool class
+
+  Copyright (C) 2006-2013 Akinori MUSHA
+
+************************************************/
+
+#ifdef HAVE_RUBY_DIGEST_H
+#include "ruby/digest.h"
+#else
+#include "digest.h"
+#endif
+#include "whirlpool-algorithm.h"
+#include "whirlpool-portability.h"
+
+static void WP_Update(WP_Struct * const, const unsigned char * const, size_t);
+
+static rb_digest_metadata_t whirlpool = {
+    RUBY_DIGEST_API_VERSION,
+    WP_DIGEST_SIZE,
+    WBLOCKBYTES,
+    sizeof(WP_Struct),
+    (rb_digest_hash_init_func_t)WP_Init,
+    (rb_digest_hash_update_func_t)WP_Update,
+    (rb_digest_hash_finish_func_t)WP_Finalize,
+};
+
+static void
+WP_Update(WP_Struct * const wp, const unsigned char * const data, size_t len)
+{
+    WP_Add(data, len * 8, wp);
+}
+
+void
+Init_whirlpool()
+{
+    VALUE mDigest, cDigest_Base, cDigest_Whirlpool;
+
+    rb_require("digest");
+
+    mDigest = rb_path2class("Digest");
+    cDigest_Base = rb_path2class("Digest::Base");
+
+    cDigest_Whirlpool = rb_define_class_under(mDigest, "Whirlpool", cDigest_Base);
+
+//    rb_ivar_set(cDigest_Whirlpool, rb_intern("metadata"),
+//      Data_Wrap_Struct(rb_cObject, 0, 0, &whirlpool));
+    rb_ivar_set(cDigest_Whirlpool, rb_intern("metadata"),
+      Data_Wrap_Struct(0, 0, 0, (void *)&whirlpool));
+}

data/lib/passwordping.rb

@@ -26,7 +26,7 @@ module PasswordPing
     def check_credentials(username, password)
       raise PasswordPingFail, "API key/Secret not set" if !@authString || @authString == ''
 
-      response = make_rest_call(@baseURL + Constants::ACCOUNTS_API_PATH + "?username=" + CGI.escape(username), "GET", nil)
+      response = make_rest_call(@baseURL + Constants::ACCOUNTS_API_PATH + "?username=" + Hashing.sha256(username), "GET", nil)
 
       if (response == "404")
         return false
@@ -84,7 +84,7 @@ module PasswordPing
     end
 
     def get_exposures_for_user(username)
-      response = make_rest_call(@baseURL + Constants::EXPOSURES_API_PATH + "?username=" + CGI.escape(username),
+      response = make_rest_call(@baseURL + Constants::EXPOSURES_API_PATH + "?username=" + Hashing.sha256(username),
         "GET", nil)
 
       if (response == "404")

data/lib/passwordping/hashing.rb

@@ -1,8 +1,10 @@
 require 'passwordping/argon2_wrapper_ffi'
 require 'digest'
-require 'cryptopp'
 require 'bcrypt'
 require 'unix_crypt'
+require 'zlib'
+require 'digest/whirlpool'
+require 'base64'
 
 module PasswordPing
   class Hashing
@@ -39,21 +41,19 @@ module PasswordPing
     end
 
     def self.whirlpool(to_hash)
-      return CryptoPP.digest_factory(:whirlpool, to_hash).digest_hex
+      return Digest::Whirlpool.hexdigest(to_hash)
     end
 
     def self.whirlpool_binary(to_hash)
-      return CryptoPP.digest_factory(:whirlpool, to_hash).digest
+      return Digest::Whirlpool.digest(to_hash)
     end
 
     def self.whirlpool_binary_array(to_hash)
-      return CryptoPP.digest_factory(:whirlpool, to_hash).digest.bytes
+      return Digest::Whirlpool.digest(to_hash).bytes
     end
 
     def self.crc32(to_hash)
-      hash = CryptoPP.digest_factory(:crc32, to_hash).digest_hex
-      # correct for endian-ness
-      return hash[6] + hash[7] + hash[4] + hash[5] + hash[2] + hash[3] + hash[0] + hash[1]
+      return Zlib.crc32(to_hash, 0).to_s(16)
     end
 
     def self.mybb(to_hash, salt)
@@ -65,7 +65,23 @@ module PasswordPing
     end
 
     def self.bcrypt(to_hash, salt)
-      return BCrypt::Engine.hash_secret(to_hash, salt)
+      # if salt starts with $2y$, first replace with $2a$
+      if salt[0..3] == "$2y$"
+        y_variant = true
+        checked_salt = "$2a$" + salt[4..-1]
+      else
+        y_variant = false
+        checked_salt = salt
+      end
+
+      result = BCrypt::Engine.hash_secret(to_hash, checked_salt)
+
+      if y_variant
+        # replace with $2y$
+        result = "$2y$" + result[4..-1]
+      end
+
+      return result
     end
 
     def self.phpbb3(to_hash, salt)
@@ -135,8 +151,49 @@ module PasswordPing
       return UnixCrypt::MD5.build(to_hash, salt.start_with?("$1$") ? salt[3..salt.length] : salt);
     end
 
+    def self.custom_algorithm4(to_hash, salt)
+      return self.bcrypt(self.md5(to_hash), salt)
+    end
+
     def self.argon2(to_hash, salt)
-      return Argon2Wrapper.hash_argon2d_encode(to_hash, salt, 3, 10, 2, 20)
+      time_cost = 3
+      mem_cost = 10
+      threads = 2
+      hash_length = 20
+      just_salt = salt
+
+      #$argon2i$v=19$m=65536,t=2,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG
+      if (salt[0..6] == "$argon2")
+        # looks like we specified algo info for argon2 in the salt
+        salt_values = salt.split("$")
+        just_salt = Base64.decode64(salt_values[4])
+        cost_params = salt_values[3].split(",")
+
+        for param in cost_params
+          begin
+            param_parts = param.split("=")
+            if (param_parts[0] == "t")
+              time_cost = Integer(param_parts[1])
+            elsif (param_parts[0] == "m")
+              mem_cost = Math.log2(Integer(param_parts[1])).round
+            elsif (param_parts[0] == "p")
+              threads = Integer(param_parts[1])
+            elsif (param_parts[0] == "l")
+              hash_length = Integer(param_parts[1])
+            end
+          rescue ArgumentError
+            # ignore invalid params and just use default
+          end
+        end
+
+        if (salt_values[1] == "argon2i")
+          return Argon2Wrapper.hash_argon2i_encode(to_hash, just_salt, time_cost, mem_cost, threads, hash_length)
+        else
+          return Argon2Wrapper.hash_argon2d_encode(to_hash, just_salt, time_cost, mem_cost, threads, hash_length)
+        end
+      else
+        return Argon2Wrapper.hash_argon2d_encode(to_hash, just_salt, time_cost, mem_cost, threads, hash_length)
+      end
     end
 
     def self.xor(byte_array1, byte_array2)

data/lib/passwordping/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 # Standard Gem version constant.
 module PasswordPing
-  VERSION = "1.0.0".freeze
+  VERSION = "1.0.1".freeze
 end

data/passwordping.gemspec

@@ -23,12 +23,12 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'ffi', '~> 1.9'
   spec.add_dependency 'ffi-compiler', '~> 0.1'
   spec.add_dependency 'rest-client', '~> 2.0', '>= 2.0.2'
-  spec.add_dependency 'cryptopp', '~> 0.0', '>= 0.0.5'
   spec.add_dependency 'bcrypt', '~> 3.1', '>= 3.1.11'
   spec.add_dependency 'unix-crypt', '~> 1.3'
 
   spec.add_development_dependency "bundler", '~> 1.10', '>= 1.10.5'
   spec.add_development_dependency "rake", '~> 10.4', '>= 10.4.2'
   spec.add_development_dependency "test-unit", '~> 3.2', '>= 3.2.4'
-  spec.extensions << 'ext/argon2-wrapper/extconf.rb'
+  spec.add_development_dependency "rake-compiler", '~> 1.0', '>= 1.0.4'
+  spec.extensions = ['ext/argon2-wrapper/extconf.rb', "ext/digest/whirlpool/extconf.rb" ]
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passwordping
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - PasswordPing
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-06-02 00:00:00.000000000 Z
+date: 2017-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -58,26 +58,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.2
-- !ruby/object:Gem::Dependency
-  name: cryptopp
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.0'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.0.5
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.0'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.0.5
 - !ruby/object:Gem::Dependency
   name: bcrypt
   requirement: !ruby/object:Gem::Requirement
@@ -172,12 +152,33 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.2.4
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.4
 description: Ruby library for PasswordPing API
 email:
 - support@passwordping.com
 executables: []
 extensions:
 - ext/argon2-wrapper/extconf.rb
+- ext/digest/whirlpool/extconf.rb
 extra_rdoc_files: []
 files:
 - ".gitignore"
@@ -191,6 +192,12 @@ files:
 - ext/argon2-wrapper/libargon2-wrapper.bundle
 - ext/argon2-wrapper/libargon2-wrapper.bundle.dSYM/Contents/Info.plist
 - ext/argon2-wrapper/libargon2-wrapper.bundle.dSYM/Contents/Resources/DWARF/libargon2-wrapper.bundle
+- ext/digest/whirlpool/extconf.rb
+- ext/digest/whirlpool/whirlpool-algorithm.c
+- ext/digest/whirlpool/whirlpool-algorithm.h
+- ext/digest/whirlpool/whirlpool-constants.h
+- ext/digest/whirlpool/whirlpool-portability.h
+- ext/digest/whirlpool/whirlpool.c
 - ext/phc-winner-argon2/.git
 - ext/phc-winner-argon2/.gitattributes
 - ext/phc-winner-argon2/.gitignore
@@ -269,6 +276,7 @@ files:
 - ext/phc-winner-argon2/vs2015/Argon2RefGenKAT/Argon2RefGenKAT.vcxproj.filters
 - ext/phc-winner-argon2/vs2015/Argon2RefTestCI/Argon2RefTestCI.vcxproj
 - ext/phc-winner-argon2/vs2015/Argon2RefTestCI/Argon2RefTestCI.vcxproj.filters
+- lib/digest/whirlpool.bundle
 - lib/passwordping.rb
 - lib/passwordping/argon2_wrapper_ffi.rb
 - lib/passwordping/constants.rb