scrypt 3.0.6 → 3.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/Rakefile +6 -5
- data/ext/scrypt/Rakefile +1 -1
- data/lib/scrypt/engine.rb +175 -0
- data/lib/scrypt/errors.rb +14 -0
- data/lib/scrypt/password.rb +97 -0
- data/lib/scrypt/scrypt_ext.rb +3 -0
- data/lib/scrypt/security_utils.rb +4 -3
- data/lib/scrypt/version.rb +3 -1
- data/lib/scrypt.rb +7 -266
- data/scrypt.gemspec +39 -20
- data/spec/scrypt/engine_spec.rb +34 -37
- data/spec/scrypt/password_spec.rb +56 -58
- data/spec/scrypt/utils_spec.rb +5 -3
- data/spec/spec_helper.rb +6 -3
- data.tar.gz.sig +0 -0
- metadata +126 -42
- metadata.gz.sig +0 -0
data/scrypt.gemspec
CHANGED
@@ -1,37 +1,56 @@
|
|
1
|
-
#
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# rubocop:disable Performance/EndWith, Style/SpecialGlobalVars
|
4
|
+
|
2
5
|
$:.push File.expand_path("../lib", __FILE__)
|
3
|
-
require
|
6
|
+
require 'scrypt/version'
|
4
7
|
|
5
8
|
Gem::Specification.new do |s|
|
6
|
-
s.name =
|
9
|
+
s.name = 'scrypt'
|
7
10
|
s.version = SCrypt::VERSION
|
8
|
-
s.authors = [
|
9
|
-
|
10
|
-
|
11
|
+
s.authors = ['Patrick Hogan',
|
12
|
+
'Stephen von Takach',
|
13
|
+
'Rene van Paassen',
|
14
|
+
'Johanns Gregorian']
|
15
|
+
s.email = ['pbhogan@gmail.com',
|
16
|
+
'steve@advancedcontrol.com.au',
|
17
|
+
'rene.vanpaassen@gmail.com',
|
18
|
+
'io+scrypt@jsg.io']
|
11
19
|
s.cert_chain = ['certs/pbhogan.pem']
|
12
20
|
s.license = 'BSD-3-Clause'
|
13
|
-
|
14
|
-
s.
|
15
|
-
|
16
|
-
s.
|
21
|
+
|
22
|
+
s.signing_key = File.expand_path('~/.ssh/gem-private_key.pem') if $0 =~ /gem\z/
|
23
|
+
|
24
|
+
s.homepage = 'https://github.com/pbhogan/scrypt'
|
25
|
+
s.summary = 'scrypt password hashing algorithm.'
|
26
|
+
|
27
|
+
s.description = <<-DESC
|
17
28
|
The scrypt key derivation function is designed to be far
|
18
29
|
more secure against hardware brute-force attacks than
|
19
30
|
alternative functions such as PBKDF2 or bcrypt.
|
20
|
-
|
31
|
+
DESC
|
32
|
+
|
33
|
+
s.required_ruby_version = '>= 2.3.0'
|
21
34
|
|
22
35
|
s.add_dependency 'ffi-compiler', '>= 1.0', '< 2.0'
|
23
|
-
s.
|
24
|
-
s.add_development_dependency 'rspec', '>= 3', '< 4'
|
25
|
-
s.add_development_dependency 'rdoc', '>= 4', '< 5'
|
36
|
+
s.add_dependency 'rake', '>= 9', '< 14'
|
26
37
|
s.add_development_dependency 'awesome_print', '>= 1', '< 2'
|
38
|
+
s.add_development_dependency 'rake', '>= 9', '< 14'
|
39
|
+
s.add_development_dependency 'rdoc', '>= 4', '< 5'
|
40
|
+
s.add_development_dependency 'rspec', '>= 3', '< 4'
|
27
41
|
|
28
|
-
|
42
|
+
if RUBY_VERSION >= '2.5'
|
43
|
+
s.add_development_dependency 'rubocop', '>= 0.76.0', '< 1.0.0'
|
44
|
+
s.add_development_dependency 'rubocop-gitlab-security', '>= 0.1.1', '< 0.2'
|
45
|
+
s.add_development_dependency 'rubocop-performance', '>= 1.5.0', '< 1.6.0'
|
46
|
+
end
|
29
47
|
|
30
|
-
s.extensions = [
|
48
|
+
s.extensions = ['ext/scrypt/Rakefile']
|
31
49
|
|
32
|
-
s.files = %w
|
33
|
-
s.files += Dir.glob(
|
34
|
-
s.test_files = Dir.glob(
|
35
|
-
s.require_paths = [
|
50
|
+
s.files = %w[Rakefile scrypt.gemspec README.md COPYING] + Dir.glob('{lib,spec,autotest}/**/*')
|
51
|
+
s.files += Dir.glob('ext/scrypt/*')
|
52
|
+
s.test_files = Dir.glob('spec/**/*')
|
53
|
+
s.require_paths = ['lib']
|
36
54
|
end
|
37
55
|
|
56
|
+
# rubocop:enable
|
data/spec/scrypt/engine_spec.rb
CHANGED
@@ -1,84 +1,81 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
|
4
|
-
|
5
|
-
|
3
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '..', 'spec_helper'))
|
4
|
+
|
5
|
+
describe 'The SCrypt engine' do
|
6
|
+
it 'should calculate a valid cost factor' do
|
7
|
+
first = SCrypt::Engine.calibrate(max_time: 0.2)
|
6
8
|
expect(SCrypt::Engine.valid_cost?(first)).to equal(true)
|
7
9
|
end
|
8
10
|
end
|
9
11
|
|
10
|
-
|
11
|
-
|
12
|
-
it "should produce strings" do
|
12
|
+
describe 'Generating SCrypt salts' do
|
13
|
+
it 'should produce strings' do
|
13
14
|
expect(SCrypt::Engine.generate_salt).to be_an_instance_of(String)
|
14
15
|
end
|
15
16
|
|
16
|
-
it
|
17
|
+
it 'should produce random data' do
|
17
18
|
expect(SCrypt::Engine.generate_salt).not_to equal(SCrypt::Engine.generate_salt)
|
18
19
|
end
|
19
20
|
|
20
|
-
it
|
21
|
+
it 'should used the saved cost factor' do
|
21
22
|
# Verify cost is different before saving
|
22
|
-
cost = SCrypt::Engine.calibrate(:
|
23
|
-
expect(SCrypt::Engine.generate_salt(:
|
23
|
+
cost = SCrypt::Engine.calibrate(max_time: 0.01)
|
24
|
+
expect(SCrypt::Engine.generate_salt(max_time: 30, max_mem: 64 * 1024 * 1024)).not_to start_with(cost)
|
24
25
|
|
25
|
-
cost = SCrypt::Engine.calibrate!(:
|
26
|
-
expect(SCrypt::Engine.generate_salt(:
|
26
|
+
cost = SCrypt::Engine.calibrate!(max_time: 0.01)
|
27
|
+
expect(SCrypt::Engine.generate_salt(max_time: 30, max_mem: 64 * 1024 * 1024)).to start_with(cost)
|
27
28
|
end
|
28
29
|
end
|
29
30
|
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
expect(SCrypt::Engine.autodetect_cost("2a$08$c3$randomjunkgoeshere")).to eq("2a$08$c3$")
|
31
|
+
describe 'Autodetecting of salt cost' do
|
32
|
+
it 'should work' do
|
33
|
+
expect(SCrypt::Engine.autodetect_cost('2a$08$c3$randomjunkgoeshere')).to eq('2a$08$c3$')
|
34
34
|
end
|
35
35
|
end
|
36
36
|
|
37
|
-
|
38
|
-
describe "Generating SCrypt hashes" do
|
39
|
-
|
37
|
+
describe 'Generating SCrypt hashes' do
|
40
38
|
class MyInvalidSecret
|
41
39
|
undef to_s
|
42
40
|
end
|
43
41
|
|
44
42
|
before :each do
|
45
43
|
@salt = SCrypt::Engine.generate_salt
|
46
|
-
@password =
|
44
|
+
@password = 'woo'
|
47
45
|
end
|
48
46
|
|
49
|
-
it
|
47
|
+
it 'should produce a string' do
|
50
48
|
expect(SCrypt::Engine.hash_secret(@password, @salt)).to be_an_instance_of(String)
|
51
49
|
end
|
52
50
|
|
53
|
-
it
|
54
|
-
expect
|
51
|
+
it 'should raise an InvalidSalt error if the salt is invalid' do
|
52
|
+
expect { SCrypt::Engine.hash_secret(@password, 'nino') }.to raise_error(SCrypt::Errors::InvalidSalt)
|
55
53
|
end
|
56
54
|
|
57
|
-
it
|
58
|
-
expect
|
59
|
-
expect
|
60
|
-
expect
|
55
|
+
it 'should raise an InvalidSecret error if the secret is invalid' do
|
56
|
+
expect { SCrypt::Engine.hash_secret(MyInvalidSecret.new, @salt) }.to raise_error(SCrypt::Errors::InvalidSecret)
|
57
|
+
expect { SCrypt::Engine.hash_secret(nil, @salt) }.to_not raise_error
|
58
|
+
expect { SCrypt::Engine.hash_secret(false, @salt) }.to_not raise_error
|
61
59
|
end
|
62
60
|
|
63
|
-
it
|
64
|
-
expect(SCrypt::Engine.hash_secret(false, @salt)).to eq(SCrypt::Engine.hash_secret(
|
61
|
+
it 'should call #to_s on the secret and use the return value as the actual secret data' do
|
62
|
+
expect(SCrypt::Engine.hash_secret(false, @salt)).to eq(SCrypt::Engine.hash_secret('false', @salt))
|
65
63
|
end
|
66
64
|
end
|
67
65
|
|
68
|
-
describe
|
69
|
-
it
|
70
|
-
|
66
|
+
describe 'SCrypt test vectors' do
|
67
|
+
it 'should match results of SCrypt function' do
|
71
68
|
expect(SCrypt::Engine.scrypt('', '', 16, 1, 1, 64).unpack('H*').first).to eq('77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906')
|
72
69
|
expect(SCrypt::Engine.scrypt('password', 'NaCl', 1024, 8, 16, 64).unpack('H*').first).to eq('fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640')
|
73
|
-
expect(SCrypt::Engine.scrypt('pleaseletmein', 'SodiumChloride',
|
70
|
+
expect(SCrypt::Engine.scrypt('pleaseletmein', 'SodiumChloride', 16_384, 8, 1, 64).unpack('H*').first).to eq('7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887')
|
74
71
|
# Raspberry is memory limited, and fails on this test
|
75
|
-
|
72
|
+
# expect(SCrypt::Engine.scrypt('pleaseletmein', 'SodiumChloride', 1048576, 8, 1, 64).unpack('H*').first).to eq('2101cb9b6a511aaeaddbbe09cf70f881ec568d574a2ffd4dabe5ee9820adaa478e56fd8f4ba5d09ffa1c6d927c40f4c337304049e8a952fbcbf45c6fa77a41a4')
|
76
73
|
end
|
77
74
|
|
78
|
-
it
|
75
|
+
it 'should match equivalent results sent through hash_secret() function' do
|
79
76
|
expect(SCrypt::Engine.hash_secret('', '10$1$1$0000000000000000', 64)).to match(/\$77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906$/)
|
80
77
|
expect(SCrypt::Engine.hash_secret('password', '400$8$10$000000004e61436c', 64)).to match(/\$fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640$/)
|
81
78
|
expect(SCrypt::Engine.hash_secret('pleaseletmein', '4000$8$1$536f6469756d43686c6f72696465', 64)).to match(/\$7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887$/)
|
82
|
-
|
79
|
+
# expect(SCrypt::Engine.hash_secret('pleaseletmein', '100000$8$1$536f6469756d43686c6f72696465', 64)).to match(/\$2101cb9b6a511aaeaddbbe09cf70f881ec568d574a2ffd4dabe5ee9820adaa478e56fd8f4ba5d09ffa1c6d927c40f4c337304049e8a952fbcbf45c6fa77a41a4$/)
|
83
80
|
end
|
84
81
|
end
|
@@ -1,137 +1,135 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
|
3
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '..', 'spec_helper'))
|
4
|
+
|
5
|
+
describe 'Creating a hashed password' do
|
4
6
|
before :each do
|
5
|
-
@password = SCrypt::Password.create(
|
7
|
+
@password = SCrypt::Password.create('s3cr3t', max_time: 0.25)
|
6
8
|
end
|
7
9
|
|
8
|
-
it
|
10
|
+
it 'should return a SCrypt::Password' do
|
9
11
|
expect(@password).to be_an_instance_of(SCrypt::Password)
|
10
12
|
end
|
11
13
|
|
12
|
-
it
|
13
|
-
expect(
|
14
|
+
it 'should return a valid password' do
|
15
|
+
expect(-> { SCrypt::Password.new(@password) }).to_not raise_error
|
14
16
|
end
|
15
17
|
|
16
|
-
it
|
17
|
-
expect(
|
18
|
-
expect(
|
19
|
-
expect(
|
18
|
+
it 'should behave normally if the secret is not a string' do
|
19
|
+
expect(-> { SCrypt::Password.create(nil) }).to_not raise_error
|
20
|
+
expect(-> { SCrypt::Password.create(woo: 'yeah') }).to_not raise_error
|
21
|
+
expect(-> { SCrypt::Password.create(false) }).to_not raise_error
|
20
22
|
end
|
21
23
|
|
22
|
-
it
|
23
|
-
expect(
|
24
|
-
expect(
|
25
|
-
expect(
|
24
|
+
it 'should tolerate empty string secrets' do
|
25
|
+
expect(-> { SCrypt::Password.create("\n".chop) }).to_not raise_error
|
26
|
+
expect(-> { SCrypt::Password.create('') }).to_not raise_error
|
27
|
+
expect(-> { SCrypt::Password.create('') }).to_not raise_error
|
26
28
|
end
|
27
29
|
end
|
28
30
|
|
29
|
-
|
30
|
-
describe "Reading a hashed password" do
|
31
|
+
describe 'Reading a hashed password' do
|
31
32
|
before :each do
|
32
|
-
@secret =
|
33
|
-
@hash =
|
33
|
+
@secret = 'my secret'
|
34
|
+
@hash = '400$8$d$173a8189751c095a29b933789560b73bf17b2e01$9bf66d74bd6f3ebcf99da3b379b689b89db1cb07'
|
34
35
|
end
|
35
36
|
|
36
|
-
it
|
37
|
+
it 'should read the cost, salt, and hash' do
|
37
38
|
password = SCrypt::Password.new(@hash)
|
38
|
-
expect(password.cost).to eq(
|
39
|
-
expect(password.salt).to eq(
|
39
|
+
expect(password.cost).to eq('400$8$d$')
|
40
|
+
expect(password.salt).to eq('173a8189751c095a29b933789560b73bf17b2e01')
|
40
41
|
expect(password.to_s).to eq(@hash)
|
41
42
|
end
|
42
43
|
|
43
|
-
it
|
44
|
-
expect
|
44
|
+
it 'should raise an InvalidHashError when given an invalid hash' do
|
45
|
+
expect { SCrypt::Password.new('not a valid hash') }.to raise_error(SCrypt::Errors::InvalidHash)
|
45
46
|
end
|
46
47
|
end
|
47
48
|
|
48
|
-
describe
|
49
|
+
describe 'Comparing a hashed password with a secret' do
|
49
50
|
before :each do
|
50
|
-
@secret =
|
51
|
+
@secret = 's3cr3t'
|
51
52
|
@password = SCrypt::Password.create(@secret)
|
52
53
|
end
|
53
54
|
|
54
|
-
it
|
55
|
+
it 'should compare successfully to the original secret' do
|
55
56
|
expect((@password == @secret)).to be(true)
|
56
57
|
end
|
57
58
|
|
58
|
-
it
|
59
|
-
expect((@password ==
|
59
|
+
it 'should compare unsuccessfully to anything besides original secret' do
|
60
|
+
expect((@password == '@secret')).to be(false)
|
60
61
|
end
|
61
|
-
|
62
62
|
end
|
63
63
|
|
64
|
-
describe
|
64
|
+
describe 'non-default salt sizes' do
|
65
65
|
before :each do
|
66
|
-
@secret =
|
66
|
+
@secret = 's3cret'
|
67
67
|
end
|
68
68
|
|
69
|
-
it
|
70
|
-
@password = SCrypt::Password.create(@secret, :
|
69
|
+
it 'should enforce a minimum salt of 8 bytes' do
|
70
|
+
@password = SCrypt::Password.create(@secret, salt_size: 7)
|
71
71
|
expect(@password.salt.length).to eq(8 * 2)
|
72
72
|
end
|
73
73
|
|
74
|
-
it
|
75
|
-
@password = SCrypt::Password.create(@secret, :
|
74
|
+
it 'should allow a salt of 32 bytes' do
|
75
|
+
@password = SCrypt::Password.create(@secret, salt_size: 32)
|
76
76
|
expect(@password.salt.length).to eq(32 * 2)
|
77
77
|
end
|
78
78
|
|
79
|
-
it
|
80
|
-
@password = SCrypt::Password.create(@secret, :
|
79
|
+
it 'should enforce a maximum salt of 32 bytes' do
|
80
|
+
@password = SCrypt::Password.create(@secret, salt_size: 33)
|
81
81
|
expect(@password.salt.length).to eq(32 * 2)
|
82
82
|
end
|
83
83
|
|
84
|
-
it
|
85
|
-
@password = SCrypt::Password.create(@secret, :
|
84
|
+
it 'should pad a 20-byte salt to not look like a 20-byte SHA1' do
|
85
|
+
@password = SCrypt::Password.create(@secret, salt_size: 20)
|
86
86
|
expect(@password.salt.length).to eq(41)
|
87
87
|
end
|
88
88
|
|
89
|
-
it
|
90
|
-
@password = SCrypt::Password.create(@secret, :
|
89
|
+
it 'should properly compare a non-standard salt hash' do
|
90
|
+
@password = SCrypt::Password.create(@secret, salt_size: 20)
|
91
91
|
expect((SCrypt::Password.new(@password.to_s) == @secret)).to be(true)
|
92
92
|
end
|
93
|
-
|
94
93
|
end
|
95
94
|
|
96
|
-
describe
|
95
|
+
describe 'non-default key lengths' do
|
97
96
|
before :each do
|
98
|
-
@secret =
|
97
|
+
@secret = 's3cret'
|
99
98
|
end
|
100
99
|
|
101
|
-
it
|
102
|
-
@password = SCrypt::Password.create(@secret, :
|
100
|
+
it 'should enforce a minimum keylength of 16 bytes' do
|
101
|
+
@password = SCrypt::Password.create(@secret, key_len: 15)
|
103
102
|
expect(@password.digest.length).to eq(16 * 2)
|
104
103
|
end
|
105
104
|
|
106
|
-
it
|
107
|
-
@password = SCrypt::Password.create(@secret, :
|
105
|
+
it 'should allow a keylength of 512 bytes' do
|
106
|
+
@password = SCrypt::Password.create(@secret, key_len: 512)
|
108
107
|
expect(@password.digest.length).to eq(512 * 2)
|
109
108
|
end
|
110
109
|
|
111
|
-
it
|
112
|
-
@password = SCrypt::Password.create(@secret, :
|
110
|
+
it 'should enforce a maximum keylength of 512 bytes' do
|
111
|
+
@password = SCrypt::Password.create(@secret, key_len: 513)
|
113
112
|
expect(@password.digest.length).to eq(512 * 2)
|
114
113
|
end
|
115
114
|
|
116
|
-
it
|
117
|
-
@password = SCrypt::Password.create(@secret, :
|
115
|
+
it 'should properly compare a non-standard hash' do
|
116
|
+
@password = SCrypt::Password.create(@secret, key_len: 512)
|
118
117
|
expect((SCrypt::Password.new(@password.to_s) == @secret)).to be(true)
|
119
118
|
end
|
120
|
-
|
121
119
|
end
|
122
120
|
|
123
|
-
describe
|
121
|
+
describe 'Old-style hashes' do
|
124
122
|
before :each do
|
125
|
-
@secret =
|
126
|
-
@hash =
|
123
|
+
@secret = 'my secret'
|
124
|
+
@hash = '400$8$d$173a8189751c095a29b933789560b73bf17b2e01$9bf66d74bd6f3ebcf99da3b379b689b89db1cb07'
|
127
125
|
end
|
128
126
|
|
129
|
-
it
|
127
|
+
it 'should compare successfully' do
|
130
128
|
expect((SCrypt::Password.new(@hash) == @secret)).to be(true)
|
131
129
|
end
|
132
130
|
end
|
133
131
|
|
134
|
-
describe
|
132
|
+
describe 'Respecting standard ruby behaviors' do
|
135
133
|
it 'should hash as an integer' do
|
136
134
|
password = SCrypt::Password.create('')
|
137
135
|
expect(password.hash).to be_kind_of(Integer)
|
data/spec/scrypt/utils_spec.rb
CHANGED
@@ -1,7 +1,9 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
|
4
|
-
|
3
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '..', 'spec_helper'))
|
4
|
+
|
5
|
+
describe 'Security Utils' do
|
6
|
+
it 'should perform a string comparison' do
|
5
7
|
expect(SCrypt::SecurityUtils.secure_compare('a', 'a')).to equal(true)
|
6
8
|
expect(SCrypt::SecurityUtils.secure_compare('a', 'b')).to equal(false)
|
7
9
|
expect(SCrypt::SecurityUtils.secure_compare('aa', 'aa')).to equal(true)
|
data/spec/spec_helper.rb
CHANGED
data.tar.gz.sig
CHANGED
Binary file
|