unix-crypt 1.1.0 → 1.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1d23e0cd7fb0edc71372a52d4bd357dbbbbd0a8b
+  data.tar.gz: 0b135e10570ae2b629f52f441997cd304663b728
+SHA512:
+  metadata.gz: 769ec3053c3e3af385aa5feb6bee79607763a6691cf33362f08a1198296c57cb1c98d8b78472f4eb354ac0e22cba35fc10d680e7bfecb30820d7ef71eb0a1b6b
+  data.tar.gz: a175438b7eedfe60a156aaaf003b3956cf70f7f0b054c181b29c9ca5879dbe421253b80d997331a2f095db1dcece3f5ed130df167c8dbaf82d037706cf31d317

data/.gitignore

@@ -0,0 +1,3 @@
+.DS_Store
+.*.swp
+*.gem

data/LICENSE

@@ -0,0 +1,10 @@
+Copyright (c) 2013, Roger Nesbitt
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+Neither the name of the unix-crypt nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.rdoc

@@ -0,0 +1,59 @@
+= unix-crypt
+
+== Description
+
+unix-crypt creates and checks passwords that you'd normally find in an /etc/shadow file on your UNIX box.
+
+It's written entirely in Ruby and has no external dependencies.
+
+It handles:
+* DES passwords (the standard 13 character password with a 2 character salt)
+* MD5 passwords (starting with $1$)
+* SHA256 passwords (starting with $5$)
+* SHA512 passwords (starting with $6$)
+
+This library is compatible with Ruby 1.8.7 and above.  Tested on Ruby 2.0.0p0.
+
+== Using the command line tool
+
+An executable named +mkunixcrypt+ allows you to generate passwords from the command line.
+
+  Usage: mkunixcrypt [options]
+  Encrypts password using the unix-crypt gem
+  
+  Options:
+      -h, --hash [HASH]                Set hash algorithm [SHA512 (default), SHA256, MD5]
+      -p, --password [PASSWORD]        Provide password on command line (insecure!)
+      -s, --salt [SALT]                Provide hash salt
+      -r, --rounds [ROUNDS]            Set number of hashing rounds (SHA256/SHA512 only)
+          --help                       Show this message
+      -v, --version                    Show version
+
+== Using the library
+
+You can either validate a password matches its hash:
+
+  >> UnixCrypt.valid?("Hello world!", "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5")
+  => true
+
+Or you can generate a new hash, given a password and salt:
+
+  >> UnixCrypt::SHA256.build("Hello world!", "saltstring")
+  => "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5"
+
+If a salt is not specified, one will be generated using random data:
+
+  >> UnixCrypt::SHA256.build("Hello world!")
+  => "$5$v.fjb6lucDCZKjcf$90gzpr9HYo0eAeaN8rubElJdUUOcVYjTnGePBRvCgt1"
+
+== License
+
+Licensed under the BSD license.  See LICENSE file for details.
+
+== Author
+
+* Roger Nesbitt (roger@seriousorange.com)
+
+== Contributors
+
+* Patrick Wyatt (pat@codeofhonor.com)

data/Rakefile

@@ -0,0 +1,7 @@
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList['test/**/test*.rb']
+  t.verbose = true
+end

data/bin/mkunixcrypt

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+
+begin
+  require 'unix_crypt'
+rescue LoadError
+  require 'rubygems'
+  require 'unix_crypt'
+end
+
+require 'unix_crypt/command_line'
+
+begin
+  UnixCrypt::CommandLine.new(ARGV).encrypt
+rescue UnixCrypt::CommandLine::Abort => e
+  abort e.message
+end

data/lib/unix_crypt.rb

@@ -2,6 +2,8 @@ require 'digest'
 require 'securerandom'
 
 module UnixCrypt
+  VERSION = "1.1.1"
+
   def self.valid?(password, string)
     # Handle the original DES-based crypt(3)
     return password.crypt(string) == string if string.length == 13
@@ -16,7 +18,11 @@ module UnixCrypt
     def self.build(password, salt = nil, rounds = nil)
       salt ||= generate_salt
 
-      "$#{identifier}$#{salt}$#{hash(password, salt, rounds)}"
+      "$#{identifier}$#{rounds_marker rounds}#{salt}$#{hash(password, salt, rounds)}"
+    end
+
+    def self.hash(password, salt, rounds = nil)
+      bit_specified_base64encode internal_hash(prepare_password(password), salt, rounds)
     end
 
     def self.generate_salt
@@ -56,6 +62,10 @@ module UnixCrypt
 
       password
     end
+
+    def self.rounds_marker(rounds)
+      nil
+    end
   end
 
   class MD5 < Base
@@ -68,11 +78,9 @@ module UnixCrypt
       [[0, 6, 12], [1, 7, 13], [2, 8, 14], [3, 9, 15], [4, 10, 5], [nil, nil, 11]]
     end
 
-    def self.hash(password, salt, ignored = nil)
+    def self.internal_hash(password, salt, ignored = nil)
       salt = salt[0..7]
 
-      password = prepare_password(password)
-
       b = digest.digest("#{password}#{salt}#{password}")
       a_string = "#{password}$1$#{salt}#{b * (password.length/length)}#{b[0...password.length % length]}"
 
@@ -92,22 +100,19 @@ module UnixCrypt
         input = digest.digest(c_string)
       end
 
-      bit_specified_base64encode(input)
+      input
     end
   end
 
   class SHABase < Base
+  protected
     def self.default_salt_length; 12; end
+    def self.default_rounds; 5000; end
 
-    def self.hash(password, salt, rounds = nil)
-      rounds ||= 5000
-      rounds = 1000        if rounds < 1000
-      rounds = 999_999_999 if rounds > 999_999_999
-
+    def self.internal_hash(password, salt, rounds = nil)
+      rounds = apply_rounds_bounds(rounds || default_rounds)
       salt = salt[0..15]
 
-      password = prepare_password(password)
-
       b = digest.digest("#{password}#{salt}#{password}")
 
       a_string = password + salt + b * (password.length/length) + b[0...password.length % length]
@@ -118,12 +123,12 @@ module UnixCrypt
         password_length >>= 1
       end
 
-      input = a = digest.digest(a_string)
+      input = digest.digest(a_string)
 
       dp = digest.digest(password * password.length)
       p = dp * (password.length/length) + dp[0...password.length % length]
 
-      ds = digest.digest(salt * (16 + a.bytes.first))
+      ds = digest.digest(salt * (16 + input.bytes.first))
       s = ds * (salt.length/length) + ds[0...salt.length % length]
 
       rounds.times do |index|
@@ -134,7 +139,19 @@ module UnixCrypt
         input = digest.digest(c_string)
       end
 
-      bit_specified_base64encode(input)
+      input
+    end
+
+    def self.apply_rounds_bounds(rounds)
+      rounds = 1000        if rounds < 1000
+      rounds = 999_999_999 if rounds > 999_999_999
+      rounds
+    end
+
+    def self.rounds_marker(rounds)
+      if rounds && rounds != default_rounds
+        "rounds=#{apply_rounds_bounds(rounds)}$"
+      end
     end
   end
 

data/lib/unix_crypt/command_line.rb

@@ -0,0 +1,123 @@
+require 'optparse'
+require 'ostruct'
+begin
+  require 'io/console'
+rescue LoadError
+  $no_io_console = true
+end
+
+class UnixCrypt::CommandLine
+  Abort = Class.new(StandardError)
+
+  attr_reader :options
+
+  def initialize(argv)
+    @options = Opts.parse(argv)
+  end
+
+  def encrypt
+    if @options.password.nil?
+      @options.password = ask_password
+    else
+      password_warning
+    end
+
+    puts @options.hasher.build(@options.password, @options.salt, @options.rounds)
+    clear_string(@options.password)
+  end
+
+  private
+  class Opts
+    HASHERS = {
+      :SHA512 => UnixCrypt::SHA512,
+      :SHA256 => UnixCrypt::SHA256,
+      :MD5    => UnixCrypt::MD5
+    }
+
+    def self.parse(args)
+      options            = OpenStruct.new
+      options.hashmethod = :SHA512
+      options.hasher     = HASHERS[options.hashmethod]
+      options.password   = nil
+      options.salt       = nil
+      options.rounds     = nil
+      options.leftovers  = OptionParser.new do |opts|
+        opts.banner = "Usage: #{File.basename $0} [options]"
+        opts.separator "Encrypts password using the unix-crypt gem"
+        opts.separator ""
+        opts.separator "Options:"
+
+        opts.on("-h", "--hash [HASH]", String, "Set hash algorithm [SHA512 (default), SHA256, MD5]") do |hasher|
+          options.hashmethod = hasher.to_s.upcase.to_sym
+          options.hasher     = HASHERS[options.hashmethod]
+          raise Abort, "Invalid hash algorithm for -h/--hash" if options.hasher.nil?
+        end
+
+        opts.on("-p", "--password [PASSWORD]", String, "Provide password on command line (insecure!)") do |password|
+          raise Abort, "Invalid password for -p/--password" if password.nil?
+          options.password = password
+          $0 = $0 # this invocation will get rid of the command line arguments from the process list
+        end
+
+        opts.on("-s", "--salt [SALT]", String, "Provide hash salt") do |salt|
+          raise Abort, "Invalid salt for -s/--salt" if salt.nil?
+          options.salt = salt
+        end
+
+        opts.on("-r", "--rounds [ROUNDS]", Integer, "Set number of hashing rounds (SHA256/SHA512 only)") do |rounds|
+          raise Abort, "Invalid hashing rounds for -r/--rounds" if rounds.nil? || rounds.to_i <= 0
+          options.rounds = rounds
+        end
+
+        opts.on_tail("-h", "--help", "Show this message") do
+          puts opts
+          exit
+        end
+
+        opts.on_tail("-v", "--version", "Show version") do
+          puts UnixCrypt::VERSION
+          exit
+        end
+      end.parse!(args)
+      options
+    end
+  end
+
+  def ask_noecho(message)
+    $stderr.print message
+    if $no_io_console
+      begin
+        `stty -echo`
+        result = gets
+      ensure
+        `stty echo`
+      end
+    else
+      result = $stdin.noecho(&:gets)
+    end
+    $stderr.puts
+    result
+  end
+
+  def password_warning
+    $stderr.puts "warning: providing a password on the command line is insecure"
+  end
+
+  def clear_string(string)
+    string.replace(" " * string.length)
+  end
+
+  def ask_password
+    password = ask_noecho("Enter password: ")
+    twice    = ask_noecho("Verify password: ")
+
+    if password != twice
+      clear_string(password)
+      clear_string(twice)
+      raise Abort, "Passwords don't match"
+    end
+
+    clear_string(twice)
+    password.chomp!
+  end
+end

data/test/{unix_crypt_test.rb → test_unix_crypt.rb}

@@ -8,7 +8,7 @@
 #
 
 require 'test/unit'
-require '../lib/unix_crypt'
+require File.expand_path('../../lib/unix_crypt', __FILE__)
 
 class UnixCryptTest < Test::Unit::TestCase
   def test_password_validity
@@ -50,9 +50,42 @@ class UnixCryptTest < Test::Unit::TestCase
     end
   end
 
+  def test_md5_password_generation
+    hash = UnixCrypt::MD5.build("test")
+    assert UnixCrypt.valid?("test", hash)
+  end
+
+  def test_sha256_password_generation
+    hash = UnixCrypt::SHA256.build("test")
+    assert UnixCrypt.valid?("test", hash)
+  end
+
+  def test_sha512_password_generation
+    hash = UnixCrypt::SHA512.build("test")
+    assert UnixCrypt.valid?("test", hash)
+  end
+
   def test_salt_generation
     assert_match %r{\A\$1\$[a-zA-Z0-9./]{8}\$[a-zA-Z0-9./]{22}\z}, UnixCrypt::MD5.build("test password")
     assert_match %r{\A\$5\$[a-zA-Z0-9./]{16}\$[a-zA-Z0-9./]{43}\z}, UnixCrypt::SHA256.build("test password")
     assert_match %r{\A\$6\$[a-zA-Z0-9./]{16}\$[a-zA-Z0-9./]{86}\z}, UnixCrypt::SHA512.build("test password")
   end
+
+  def test_password_generation_with_rounds
+    hash = UnixCrypt::SHA512.build("test password", nil, 5678)
+    assert_match %r{\A\$6\$rounds=5678\$[a-zA-Z0-9./]{16}\$[a-zA-Z0-9./]{86}\z}, hash
+    assert UnixCrypt.valid?("test password", hash)
+
+    assert_match %r{\A\$6\$rounds=5678\$salted\$[a-zA-Z0-9./]{86}\z}, UnixCrypt::SHA512.build("test password", "salted", 5678)
+  end
+
+  def test_default_rounds_does_not_add_rounds_marker
+    assert_match %r{\A\$6\$salted\$[a-zA-Z0-9./]{86}\z}, UnixCrypt::SHA512.build("test password", "salted", 5000) # the default number of rounds
+  end
+
+  def test_rounds_bounds
+    hash = UnixCrypt::SHA512.build("test password", nil, 567)
+    assert_match %r{\A\$6\$rounds=1000\$[a-zA-Z0-9./]{16}\$[a-zA-Z0-9./]{86}\z}, hash
+    assert UnixCrypt.valid?("test password", hash)
+  end
 end

data/test/unix_crypt/test_command_line.rb

@@ -0,0 +1,88 @@
+require 'test/unit'
+require File.expand_path('../../../lib/unix_crypt', __FILE__)
+require File.expand_path('../../../lib/unix_crypt/command_line', __FILE__)
+
+class CommandLineTest < Test::Unit::TestCase
+  class CaptureIO
+    def initialize(name, buffer, input = [])
+      @name = name
+      @buffer = buffer
+      @input = input
+    end
+
+    def noecho
+      yield self
+    end
+
+    def gets
+      @buffer << [@name, @input.first.dup]
+      @input.shift
+    end
+
+    def write(data)
+      @buffer << [@name, data]
+    end
+
+    def print(data)
+      write data
+    end
+
+    def puts(data = "")
+      write "#{data}\n"
+    end
+
+    def self.redirect(input = [])
+      buffer = []
+      $stdin = new("stdin", buffer, input)
+      $stdout = new("stdout", buffer)
+      $stderr = new("stderr", buffer)
+      yield
+      buffer
+    ensure
+      $stdin = STDIN
+      $stdout = STDOUT
+      $stderr = STDERR
+    end
+  end
+
+  def test_no_parameter_password_creation
+    result = CaptureIO.redirect(["hello\n", "hello\n"]) do
+      UnixCrypt::CommandLine.new([]).encrypt
+    end
+
+    expected = [
+      ["stderr", "Enter password: "],
+      ["stdin", "hello\n"],
+      ["stderr", "\n"],
+      ["stderr", "Verify password: "],
+      ["stdin", "hello\n"],
+      ["stderr", "\n"]
+    ]
+
+    assert_equal expected, result[0..-2]
+
+    channel, password = result[-1]
+    assert_equal "stdout", channel
+    assert_match %r{\A\$6\$[a-zA-Z0-9./]{16}\$[a-zA-Z0-9./]{86}\n\z}, password
+
+    assert UnixCrypt.valid?("hello", password)
+  end
+
+  def test_parameters_provided_password_creation
+    result = CaptureIO.redirect do
+      UnixCrypt::CommandLine.new(%w(-h sha256 -p hello -s salty -r 1234)).encrypt
+    end
+
+    expected = [
+      ["stderr", "warning: providing a password on the command line is insecure\n"]
+    ]
+
+    assert_equal expected, result[0..-2]
+
+    channel, password = result[-1]
+    assert_equal "stdout", channel
+    assert_match %r{\A\$5\$rounds=1234\$salty\$[a-zA-Z0-9./]{43}\n\z}, password
+
+    assert UnixCrypt.valid?("hello", password)
+  end
+end

data/unix-crypt.gemspec

@@ -0,0 +1,17 @@
+require './lib/unix_crypt'
+
+spec = Gem::Specification.new do |s|
+  s.name         = 'unix-crypt'
+  s.version      = UnixCrypt::VERSION
+  s.summary      = "Performs the UNIX crypt(3) algorithm using DES, MD5, SHA256 or SHA512"
+  s.description  = %{Performs the UNIX crypt(3) algorithm using DES (standard 13 character passwords), MD5 (starting with $1$), SHA256 (starting with $5$) and SHA512 (starting with $6$)}
+  s.files        = `git ls-files`.split($\)
+  s.test_files   = s.files.grep(%r{^(test|spec|features)/})
+  s.executables  = ["mkunixcrypt"]
+  s.require_path = 'lib'
+  s.has_rdoc     = false
+  s.author       = "Roger Nesbitt"
+  s.email        = "roger@seriousorange.com"
+  s.homepage     = "https://github.com/mogest/unix-crypt"
+  s.license      = "BSD"
+end

metadata

@@ -1,48 +1,58 @@
 --- !ruby/object:Gem::Specification
 name: unix-crypt
 version: !ruby/object:Gem::Version
-  version: 1.1.0
-  prerelease: 
+  version: 1.1.1
 platform: ruby
 authors:
 - Roger Nesbitt
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-04-02 00:00:00.000000000 Z
+date: 2013-09-23 00:00:00.000000000 Z
 dependencies: []
 description: Performs the UNIX crypt(3) algorithm using DES (standard 13 character
   passwords), MD5 (starting with $1$), SHA256 (starting with $5$) and SHA512 (starting
   with $6$)
 email: roger@seriousorange.com
-executables: []
+executables:
+- mkunixcrypt
 extensions: []
 extra_rdoc_files: []
 files:
+- .gitignore
+- LICENSE
+- README.rdoc
+- Rakefile
+- bin/mkunixcrypt
 - lib/unix_crypt.rb
-- test/unix_crypt_test.rb
-homepage: 
-licenses: []
+- lib/unix_crypt/command_line.rb
+- test/test_unix_crypt.rb
+- test/unix_crypt/test_command_line.rb
+- unix-crypt.gemspec
+homepage: https://github.com/mogest/unix-crypt
+licenses:
+- BSD
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 2.0.2
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Performs the UNIX crypt(3) algorithm using DES, MD5, SHA256 or SHA512
-test_files: []
+test_files:
+- test/test_unix_crypt.rb
+- test/unix_crypt/test_command_line.rb