unix-crypt 1.0.0

data/lib/unix_crypt.rb

@@ -0,0 +1,133 @@
+require 'digest'
+
+module UnixCrypt
+  def self.valid?(password, string)
+    # Handle the original DES-based crypt(3)
+    return password.crypt(string) == string if string.length == 13
+
+    return false unless m = string.match(/\A\$([156])\$(?:rounds=(\d+)\$)?(.+)\$(.+)/)
+    hash = IDENTIFIER_MAPPINGS[m[1]].hash(password, m[3], m[2] && m[2].to_i)
+    hash == m[4]
+  end
+
+  class Base
+    def self.build(password, salt, rounds = nil)
+      "$#{identifier}$#{salt}$#{hash(password, salt)}"
+    end
+
+    protected
+    def self.base64encode(input)
+      b64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+      output = ""
+      byte_indexes.each do |i3, i2, i1|
+        b1, b2, b3 = i1 && input[i1] || 0, i2 && input[i2] || 0, i3 && input[i3] || 0
+        output <<
+          b64[  b1 & 0b00111111]         <<
+          b64[((b1 & 0b11000000) >> 6) |
+              ((b2 & 0b00001111) << 2)]  <<
+          b64[((b2 & 0b11110000) >> 4) |
+              ((b3 & 0b00000011) << 4)]  <<
+          b64[ (b3 & 0b11111100) >> 2]
+      end
+
+      remainder = 3 - (length % 3)
+      remainder = 0 if remainder == 3
+      output[0..-1-remainder]
+    end
+  end
+
+  class MD5 < Base
+    def self.digest; Digest::MD5; end
+    def self.length; 16; end
+    def self.identifier; 1; end
+
+    def self.byte_indexes
+      [[0, 6, 12], [1, 7, 13], [2, 8, 14], [3, 9, 15], [4, 10, 5], [nil, nil, 11]]
+    end
+
+    def self.hash(password, salt, ignored = nil)
+      salt = salt[0..7]
+
+      b = digest.digest("#{password}#{salt}#{password}")
+      a_string = "#{password}$1$#{salt}#{b * (password.length/length)}#{b[0...password.length % length]}"
+
+      password_length = password.length
+      while password_length > 0
+        a_string += (password_length & 1 != 0) ? "\x0" : password[0].chr
+        password_length >>= 1
+      end
+
+      input = digest.digest(a_string)
+
+      1000.times do |index|
+        c_string = ((index & 1 != 0) ? password : input)
+        c_string += salt unless index % 3 == 0
+        c_string += password unless index % 7 == 0
+        c_string += ((index & 1 != 0) ? input : password)
+        input = digest.digest(c_string)
+      end
+
+      base64encode(input)
+    end
+  end
+
+  class SHABase < Base
+    def self.hash(password, salt, rounds = nil)
+      rounds ||= 5000
+      rounds = 1000        if rounds < 1000
+      rounds = 999_999_999 if rounds > 999_999_999
+
+      salt = salt[0..15]
+
+      b = digest.digest("#{password}#{salt}#{password}")
+
+      a_string = password + salt + b * (password.length/length) + b[0...password.length % length]
+
+      password_length = password.length
+      while password_length > 0
+        a_string += (password_length & 1 != 0) ? b : password
+        password_length >>= 1
+      end
+
+      input = a = digest.digest(a_string)
+
+      dp = digest.digest(password * password.length)
+      p = dp * (password.length/length) + dp[0...password.length % length]
+
+      ds = digest.digest(salt * (16 + a[0]))
+      s = ds * (salt.length/length) + ds[0...salt.length % length]
+
+      rounds.times do |index|
+        c_string = ((index & 1 != 0) ? p : input)
+        c_string += s unless index % 3 == 0
+        c_string += p unless index % 7 == 0
+        c_string += ((index & 1 != 0) ? input : p)
+        input = digest.digest(c_string)
+      end
+
+      base64encode(input)
+    end
+  end
+
+  class SHA256 < SHABase
+    def self.digest; Digest::SHA256; end
+    def self.length; 32; end
+    def self.identifier; 5; end
+
+    def self.byte_indexes
+      [[0, 10, 20], [21, 1, 11], [12, 22, 2], [3, 13, 23], [24, 4, 14], [15, 25, 5], [6, 16, 26], [27, 7, 17], [18, 28, 8], [9, 19, 29], [nil, 31, 30]]
+    end
+  end
+
+  class SHA512 < SHABase
+    def self.digest; Digest::SHA512; end
+    def self.length; 64; end
+    def self.identifier; 6; end
+    def self.byte_indexes
+      [[0, 21, 42], [22, 43, 1], [44, 2, 23], [3, 24, 45], [25, 46, 4], [47, 5, 26], [6, 27, 48], [28, 49, 7], [50, 8, 29], [9, 30, 51], [31, 52, 10],
+        [53, 11, 32], [12, 33, 54], [34, 55, 13], [56, 14, 35], [15, 36, 57], [37, 58, 16], [59, 17, 38], [18, 39, 60], [40, 61, 19], [62, 20, 41], [nil, nil, 63]]
+    end
+  end
+
+  IDENTIFIER_MAPPINGS = {'1' => MD5, '5' => SHA256, '6' => SHA512}
+end

data/test/unix_crypt_test.rb

@@ -0,0 +1,50 @@
+#
+# MD5 test cases constructed by Mark Johnston, taken from
+# http://code.activestate.com/recipes/325204-passwd-file-compatible-1-md5-crypt/
+#
+# SHA test cases found in Ulrich Drepper's paper on SHA crypt, taken from
+# http://www.akkadia.org/drepper/SHA-crypt.txt
+#
+
+require 'test/unit'
+require '../lib/unix_crypt'
+
+class UnixCryptTest < Test::Unit::TestCase
+  def test_password_validity
+    tests = [
+      # DES
+      ["PQ", "test", "PQl1.p7BcJRuM"],
+      ["xx", "much longer password here", "xxtHrOGVa3182"],
+
+      # MD5
+      [nil, ' ', '$1$yiiZbNIH$YiCsHZjcTkYd31wkgW8JF.'],
+      [nil, 'pass', '$1$YeNsbWdH$wvOF8JdqsoiLix754LTW90'],
+      [nil, '____fifteen____', '$1$s9lUWACI$Kk1jtIVVdmT01p0z3b/hw1'],
+      [nil, '____sixteen_____', '$1$dL3xbVZI$kkgqhCanLdxODGq14g/tW1'],
+      [nil, '____seventeen____', '$1$NaH5na7J$j7y8Iss0hcRbu3kzoJs5V.'],
+      [nil, '__________thirty-three___________', '$1$HO7Q6vzJ$yGwp2wbL5D7eOVzOmxpsy.'],
+
+      # SHA256
+      ["$5$saltstring", "Hello world!", "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5"],
+      ["$5$rounds=10000$saltstringsaltstring", "Hello world!", "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2.opqey6IcA"],
+      ["$5$rounds=5000$toolongsaltstring", "This is just a test", "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8mGRcvxa5"],
+      ["$5$rounds=1400$anotherlongsaltstring", "a very much longer text to encrypt.  This one even stretches over morethan one line.", "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12oP84Bnq1"],
+      ["$5$rounds=77777$short", "we have a short salt string but not a short password", "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/"],
+      ["$5$rounds=123456$asaltof16chars..", "a short string", "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/cZKmF/wJvD"],
+      ["$5$rounds=10$roundstoolow", "the minimum number is still observed", "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL972bIC"],
+
+      # SHA512
+      ["$6$saltstring", "Hello world!", "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1"],
+      ["$6$rounds=10000$saltstringsaltstring", "Hello world!", "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sbHbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v."],
+      ["$6$rounds=5000$toolongsaltstring", "This is just a test", "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQzQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0"],
+      ["$6$rounds=1400$anotherlongsaltstring", "a very much longer text to encrypt.  This one even stretches over morethan one line.", "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wPvMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1"],
+      ["$6$rounds=77777$short", "we have a short salt string but not a short password", "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0gge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0"],
+      ["$6$rounds=123456$asaltof16chars..", "a short string", "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwcelCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1"],
+      ["$6$rounds=10$roundstoolow", "the minimum number is still observed", "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1xhLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX."]
+    ]
+
+    tests.each_with_index do |(salt, password, expected), index|
+      assert UnixCrypt.valid?(password, expected), "Password '#{password}' (index #{index}) failed"
+    end
+  end
+end

metadata

@@ -0,0 +1,68 @@
+--- !ruby/object:Gem::Specification 
+name: unix-crypt
+version: !ruby/object:Gem::Version 
+  hash: 23
+  prerelease: false
+  segments: 
+  - 1
+  - 0
+  - 0
+  version: 1.0.0
+platform: ruby
+authors: 
+- Roger Nesbitt
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-01-15 00:00:00 +13:00
+default_executable: 
+dependencies: []
+
+description: Performs the UNIX crypt(3) algorithm using DES (standard 13 character passwords), MD5 (starting with $1$), SHA256 (starting with $5$) and SHA512 (starting with $6$)
+email: roger@seriousorange.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/unix_crypt.rb
+- test/unix_crypt_test.rb
+has_rdoc: true
+homepage: 
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Performs the UNIX crypt(3) algorithm using DES, MD5, SHA256 or SHA512
+test_files: []
+