unix-crypt 1.1.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1d23e0cd7fb0edc71372a52d4bd357dbbbbd0a8b
-  data.tar.gz: 0b135e10570ae2b629f52f441997cd304663b728
+  metadata.gz: a4f112426245004b2afc9ce190162d81729fcabd
+  data.tar.gz: a47fe1d84ca16f4597b63a3622f96b57405e25f6
 SHA512:
-  metadata.gz: 769ec3053c3e3af385aa5feb6bee79607763a6691cf33362f08a1198296c57cb1c98d8b78472f4eb354ac0e22cba35fc10d680e7bfecb30820d7ef71eb0a1b6b
-  data.tar.gz: a175438b7eedfe60a156aaaf003b3956cf70f7f0b054c181b29c9ca5879dbe421253b80d997331a2f095db1dcece3f5ed130df167c8dbaf82d037706cf31d317
+  metadata.gz: e355b3654486a6102dae8273c00cb58925e9731e268f4486fae24944bf5c63c51e18e79015cae9cc4a22b6c97182d730f5799eef155baac1c5ab879e8cf17f38
+  data.tar.gz: 9051d55228a699b3104ec8ea71637af6b05973a984ffd7f36d654d851673ce66259f0d72f6289c56c2dc78aadc226933dc1c2f1eac7a9592bb961d2f17651b87

data/README.rdoc

@@ -12,7 +12,11 @@ It handles:
 * SHA256 passwords (starting with $5$)
 * SHA512 passwords (starting with $6$)
 
-This library is compatible with Ruby 1.8.7 and above.  Tested on Ruby 2.0.0p0.
+This library is compatible with Ruby 1.8.7 and above.  Tested on Ruby 2.0.0p353.
+
+== Installation
+
+  gem install unix-crypt
 
 == Using the command line tool
 
@@ -20,9 +24,9 @@ An executable named +mkunixcrypt+ allows you to generate passwords from the comm
 
   Usage: mkunixcrypt [options]
   Encrypts password using the unix-crypt gem
-  
+
   Options:
-      -h, --hash [HASH]                Set hash algorithm [SHA512 (default), SHA256, MD5]
+      -h, --hash [HASH]                Set hash algorithm [SHA512 (default), SHA256, MD5, DES]
       -p, --password [PASSWORD]        Provide password on command line (insecure!)
       -s, --salt [SALT]                Provide hash salt
       -r, --rounds [ROUNDS]            Set number of hashing rounds (SHA256/SHA512 only)
@@ -31,8 +35,10 @@ An executable named +mkunixcrypt+ allows you to generate passwords from the comm
 
 == Using the library
 
-You can either validate a password matches its hash:
+You can either validate a password of any type matches its hash:
 
+  >> require 'unix_crypt'
+  => true
   >> UnixCrypt.valid?("Hello world!", "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5")
   => true
 
@@ -46,6 +52,13 @@ If a salt is not specified, one will be generated using random data:
   >> UnixCrypt::SHA256.build("Hello world!")
   => "$5$v.fjb6lucDCZKjcf$90gzpr9HYo0eAeaN8rubElJdUUOcVYjTnGePBRvCgt1"
 
+There are four classes you can use, depending on which hashing algorithm you'd like:
+
+  UnixCrypt::DES
+  UnixCrypt::MD5
+  UnixCrypt::SHA256
+  UnixCrypt::SHA512
+
 == License
 
 Licensed under the BSD license.  See LICENSE file for details.

data/lib/unix_crypt.rb

@@ -2,178 +2,30 @@ require 'digest'
 require 'securerandom'
 
 module UnixCrypt
-  VERSION = "1.1.1"
+  VERSION = "1.3.0"
+
+  Error = Class.new(StandardError)
+  SaltTooLongError = Class.new(Error)
 
   def self.valid?(password, string)
     # Handle the original DES-based crypt(3)
     return password.crypt(string) == string if string.length == 13
 
+    # All other types of password follow a standard format
     return false unless m = string.match(/\A\$([156])\$(?:rounds=(\d+)\$)?(.+)\$(.+)/)
 
     hash = IDENTIFIER_MAPPINGS[m[1]].hash(password, m[3], m[2] && m[2].to_i)
     hash == m[4]
   end
+end
 
-  class Base
-    def self.build(password, salt = nil, rounds = nil)
-      salt ||= generate_salt
-
-      "$#{identifier}$#{rounds_marker rounds}#{salt}$#{hash(password, salt, rounds)}"
-    end
-
-    def self.hash(password, salt, rounds = nil)
-      bit_specified_base64encode internal_hash(prepare_password(password), salt, rounds)
-    end
-
-    def self.generate_salt
-      # Generates a random salt using the same character set as the base64 encoding
-      # used by the hash encoder.
-      SecureRandom.base64(default_salt_length).gsub("=", "").tr("+", ".")
-    end
-
-    protected
-    def self.bit_specified_base64encode(input)
-      b64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
-      input = input.bytes.to_a
-      output = ""
-      byte_indexes.each do |i3, i2, i1|
-        b1, b2, b3 = i1 && input[i1] || 0, i2 && input[i2] || 0, i3 && input[i3] || 0
-        output <<
-          b64[  b1 & 0b00111111]         <<
-          b64[((b1 & 0b11000000) >> 6) |
-              ((b2 & 0b00001111) << 2)]  <<
-          b64[((b2 & 0b11110000) >> 4) |
-              ((b3 & 0b00000011) << 4)]  <<
-          b64[ (b3 & 0b11111100) >> 2]
-      end
-
-      remainder = 3 - (length % 3)
-      remainder = 0 if remainder == 3
-      output[0..-1-remainder]
-    end
-
-    def self.prepare_password(password)
-      # For Ruby 1.9+, convert the password to UTF-8, then treat that new string
-      # as binary for the digest methods.
-      if password.respond_to?(:encode)
-        password = password.encode("UTF-8")
-        password.force_encoding("ASCII-8BIT")
-      end
-
-      password
-    end
-
-    def self.rounds_marker(rounds)
-      nil
-    end
-  end
-
-  class MD5 < Base
-    def self.digest; Digest::MD5; end
-    def self.length; 16; end
-    def self.default_salt_length; 6; end
-    def self.identifier; 1; end
-
-    def self.byte_indexes
-      [[0, 6, 12], [1, 7, 13], [2, 8, 14], [3, 9, 15], [4, 10, 5], [nil, nil, 11]]
-    end
-
-    def self.internal_hash(password, salt, ignored = nil)
-      salt = salt[0..7]
-
-      b = digest.digest("#{password}#{salt}#{password}")
-      a_string = "#{password}$1$#{salt}#{b * (password.length/length)}#{b[0...password.length % length]}"
-
-      password_length = password.length
-      while password_length > 0
-        a_string += (password_length & 1 != 0) ? "\x0" : password[0].chr
-        password_length >>= 1
-      end
-
-      input = digest.digest(a_string)
-
-      1000.times do |index|
-        c_string = ((index & 1 != 0) ? password : input)
-        c_string += salt unless index % 3 == 0
-        c_string += password unless index % 7 == 0
-        c_string += ((index & 1 != 0) ? input : password)
-        input = digest.digest(c_string)
-      end
-
-      input
-    end
-  end
-
-  class SHABase < Base
-  protected
-    def self.default_salt_length; 12; end
-    def self.default_rounds; 5000; end
-
-    def self.internal_hash(password, salt, rounds = nil)
-      rounds = apply_rounds_bounds(rounds || default_rounds)
-      salt = salt[0..15]
-
-      b = digest.digest("#{password}#{salt}#{password}")
-
-      a_string = password + salt + b * (password.length/length) + b[0...password.length % length]
-
-      password_length = password.length
-      while password_length > 0
-        a_string += (password_length & 1 != 0) ? b : password
-        password_length >>= 1
-      end
-
-      input = digest.digest(a_string)
-
-      dp = digest.digest(password * password.length)
-      p = dp * (password.length/length) + dp[0...password.length % length]
-
-      ds = digest.digest(salt * (16 + input.bytes.first))
-      s = ds * (salt.length/length) + ds[0...salt.length % length]
-
-      rounds.times do |index|
-        c_string = ((index & 1 != 0) ? p : input)
-        c_string += s unless index % 3 == 0
-        c_string += p unless index % 7 == 0
-        c_string += ((index & 1 != 0) ? input : p)
-        input = digest.digest(c_string)
-      end
-
-      input
-    end
-
-    def self.apply_rounds_bounds(rounds)
-      rounds = 1000        if rounds < 1000
-      rounds = 999_999_999 if rounds > 999_999_999
-      rounds
-    end
-
-    def self.rounds_marker(rounds)
-      if rounds && rounds != default_rounds
-        "rounds=#{apply_rounds_bounds(rounds)}$"
-      end
-    end
-  end
-
-  class SHA256 < SHABase
-    def self.digest; Digest::SHA256; end
-    def self.length; 32; end
-    def self.identifier; 5; end
-
-    def self.byte_indexes
-      [[0, 10, 20], [21, 1, 11], [12, 22, 2], [3, 13, 23], [24, 4, 14], [15, 25, 5], [6, 16, 26], [27, 7, 17], [18, 28, 8], [9, 19, 29], [nil, 31, 30]]
-    end
-  end
-
-  class SHA512 < SHABase
-    def self.digest; Digest::SHA512; end
-    def self.length; 64; end
-    def self.identifier; 6; end
-    def self.byte_indexes
-      [[0, 21, 42], [22, 43, 1], [44, 2, 23], [3, 24, 45], [25, 46, 4], [47, 5, 26], [6, 27, 48], [28, 49, 7], [50, 8, 29], [9, 30, 51], [31, 52, 10],
-        [53, 11, 32], [12, 33, 54], [34, 55, 13], [56, 14, 35], [15, 36, 57], [37, 58, 16], [59, 17, 38], [18, 39, 60], [40, 61, 19], [62, 20, 41], [nil, nil, 63]]
-    end
-  end
+require 'unix_crypt/base'
+require 'unix_crypt/des'
+require 'unix_crypt/md5'
+require 'unix_crypt/sha'
 
-  IDENTIFIER_MAPPINGS = {'1' => MD5, '5' => SHA256, '6' => SHA512}
-end
+UnixCrypt::IDENTIFIER_MAPPINGS = {
+  '1' => UnixCrypt::MD5,
+  '5' => UnixCrypt::SHA256,
+  '6' => UnixCrypt::SHA512
+}

data/lib/unix_crypt/base.rb

@@ -0,0 +1,61 @@
+class UnixCrypt::Base
+  def self.build(password, salt = nil, rounds = nil)
+    salt ||= generate_salt
+    if salt.length > max_salt_length
+      raise UnixCrypt::SaltTooLongError, "Salts longer than #{max_salt_length} characters are not permitted"
+    end
+
+    construct_password(password, salt, rounds)
+  end
+
+  def self.hash(password, salt, rounds = nil)
+    bit_specified_base64encode internal_hash(prepare_password(password), salt, rounds)
+  end
+
+  def self.generate_salt
+    # Generates a random salt using the same character set as the base64 encoding
+    # used by the hash encoder.
+    SecureRandom.base64((default_salt_length * 6 / 8.0).ceil).tr("+", ".")[0...default_salt_length]
+  end
+
+  protected
+  def self.construct_password(password, salt, rounds)
+    "$#{identifier}$#{rounds_marker rounds}#{salt}$#{hash(password, salt, rounds)}"
+  end
+
+  def self.bit_specified_base64encode(input)
+    b64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+    input = input.bytes.to_a
+    output = ""
+    byte_indexes.each do |i3, i2, i1|
+      b1, b2, b3 = i1 && input[i1] || 0, i2 && input[i2] || 0, i3 && input[i3] || 0
+      output <<
+        b64[  b1 & 0b00111111]         <<
+        b64[((b1 & 0b11000000) >> 6) |
+            ((b2 & 0b00001111) << 2)]  <<
+        b64[((b2 & 0b11110000) >> 4) |
+            ((b3 & 0b00000011) << 4)]  <<
+        b64[ (b3 & 0b11111100) >> 2]
+    end
+
+    remainder = 3 - (length % 3)
+    remainder = 0 if remainder == 3
+    output[0..-1-remainder]
+  end
+
+  def self.prepare_password(password)
+    # For Ruby 1.9+, convert the password to UTF-8, then treat that new string
+    # as binary for the digest methods.
+    if password.respond_to?(:encode)
+      password = password.encode("UTF-8")
+      password.force_encoding("ASCII-8BIT")
+    end
+
+    password
+  end
+
+  def self.rounds_marker(rounds)
+    nil
+  end
+end
+

data/lib/unix_crypt/command_line.rb

@@ -22,7 +22,12 @@ class UnixCrypt::CommandLine
       password_warning
     end
 
-    puts @options.hasher.build(@options.password, @options.salt, @options.rounds)
+    begin
+      puts @options.hasher.build(@options.password, @options.salt, @options.rounds)
+    rescue UnixCrypt::Error => e
+      $stderr.puts "password generation failed: #{e.message}"
+    end
+
     clear_string(@options.password)
   end
 
@@ -31,7 +36,8 @@ class UnixCrypt::CommandLine
     HASHERS = {
       :SHA512 => UnixCrypt::SHA512,
       :SHA256 => UnixCrypt::SHA256,
-      :MD5    => UnixCrypt::MD5
+      :MD5    => UnixCrypt::MD5,
+      :DES    => UnixCrypt::DES
     }
 
     def self.parse(args)
@@ -47,7 +53,7 @@ class UnixCrypt::CommandLine
         opts.separator ""
         opts.separator "Options:"
 
-        opts.on("-h", "--hash [HASH]", String, "Set hash algorithm [SHA512 (default), SHA256, MD5]") do |hasher|
+        opts.on("-h", "--hash [HASH]", String, "Set hash algorithm [SHA512 (default), SHA256, MD5, DES]") do |hasher|
           options.hashmethod = hasher.to_s.upcase.to_sym
           options.hasher     = HASHERS[options.hashmethod]
           raise Abort, "Invalid hash algorithm for -h/--hash" if options.hasher.nil?

data/lib/unix_crypt/des.rb

@@ -0,0 +1,13 @@
+class UnixCrypt::DES < UnixCrypt::Base
+  def self.hash(*args)
+    raise "Unimplemented for DES"
+  end
+
+  protected
+  def self.construct_password(password, salt, rounds)
+    password.crypt(salt)
+  end
+
+  def self.default_salt_length; 2; end
+  def self.max_salt_length; 2; end
+end

data/lib/unix_crypt/md5.rb

@@ -0,0 +1,37 @@
+class UnixCrypt::MD5 < UnixCrypt::Base
+protected
+  def self.digest; Digest::MD5; end
+  def self.length; 16; end
+  def self.default_salt_length; 8; end
+  def self.max_salt_length; 8; end
+  def self.identifier; 1; end
+
+  def self.byte_indexes
+    [[0, 6, 12], [1, 7, 13], [2, 8, 14], [3, 9, 15], [4, 10, 5], [nil, nil, 11]]
+  end
+
+  def self.internal_hash(password, salt, ignored = nil)
+    salt = salt[0..7]
+
+    b = digest.digest("#{password}#{salt}#{password}")
+    a_string = "#{password}$1$#{salt}#{b * (password.length/length)}#{b[0...password.length % length]}"
+
+    password_length = password.length
+    while password_length > 0
+      a_string += (password_length & 1 != 0) ? "\x0" : password[0].chr
+      password_length >>= 1
+    end
+
+    input = digest.digest(a_string)
+
+    1000.times do |index|
+      c_string = ((index & 1 != 0) ? password : input)
+      c_string += salt unless index % 3 == 0
+      c_string += password unless index % 7 == 0
+      c_string += ((index & 1 != 0) ? input : password)
+      input = digest.digest(c_string)
+    end
+
+    input
+  end
+end

data/lib/unix_crypt/sha.rb

@@ -0,0 +1,75 @@
+module UnixCrypt
+  class SHABase < Base
+  protected
+    def self.default_salt_length; 16; end
+    def self.max_salt_length; 16; end
+    def self.default_rounds; 5000; end
+
+    def self.internal_hash(password, salt, rounds = nil)
+      rounds = apply_rounds_bounds(rounds || default_rounds)
+      salt = salt[0..15]
+
+      b = digest.digest("#{password}#{salt}#{password}")
+
+      a_string = password + salt + b * (password.length/length) + b[0...password.length % length]
+
+      password_length = password.length
+      while password_length > 0
+        a_string += (password_length & 1 != 0) ? b : password
+        password_length >>= 1
+      end
+
+      input = digest.digest(a_string)
+
+      dp = digest.digest(password * password.length)
+      p = dp * (password.length/length) + dp[0...password.length % length]
+
+      ds = digest.digest(salt * (16 + input.bytes.first))
+      s = ds * (salt.length/length) + ds[0...salt.length % length]
+
+      rounds.times do |index|
+        c_string = ((index & 1 != 0) ? p : input)
+        c_string += s unless index % 3 == 0
+        c_string += p unless index % 7 == 0
+        c_string += ((index & 1 != 0) ? input : p)
+        input = digest.digest(c_string)
+      end
+
+      input
+    end
+
+    def self.apply_rounds_bounds(rounds)
+      rounds = 1000        if rounds < 1000
+      rounds = 999_999_999 if rounds > 999_999_999
+      rounds
+    end
+
+    def self.rounds_marker(rounds)
+      if rounds && rounds != default_rounds
+        "rounds=#{apply_rounds_bounds(rounds)}$"
+      end
+    end
+  end
+
+  class SHA256 < SHABase
+  protected
+    def self.digest; Digest::SHA256; end
+    def self.length; 32; end
+    def self.identifier; 5; end
+
+    def self.byte_indexes
+      [[0, 10, 20], [21, 1, 11], [12, 22, 2], [3, 13, 23], [24, 4, 14], [15, 25, 5], [6, 16, 26], [27, 7, 17], [18, 28, 8], [9, 19, 29], [nil, 31, 30]]
+    end
+  end
+
+  class SHA512 < SHABase
+  protected
+    def self.digest; Digest::SHA512; end
+    def self.length; 64; end
+    def self.identifier; 6; end
+    def self.byte_indexes
+      [[0, 21, 42], [22, 43, 1], [44, 2, 23], [3, 24, 45], [25, 46, 4], [47, 5, 26], [6, 27, 48], [28, 49, 7], [50, 8, 29], [9, 30, 51], [31, 52, 10],
+        [53, 11, 32], [12, 33, 54], [34, 55, 13], [56, 14, 35], [15, 36, 57], [37, 58, 16], [59, 17, 38], [18, 39, 60], [40, 61, 19], [62, 20, 41], [nil, nil, 63]]
+    end
+  end
+end

data/test/test_unix_crypt.rb

@@ -50,25 +50,50 @@ class UnixCryptTest < Test::Unit::TestCase
     end
   end
 
-  def test_md5_password_generation
+  def test_validity_of_des_password_generation
+    hash = UnixCrypt::DES.build("test")
+    assert UnixCrypt.valid?("test", hash)
+
+    hash = UnixCrypt::DES.build("test", 'xx')
+    assert UnixCrypt.valid?("test", hash)
+  end
+
+  def test_validity_of_md5_password_generation
     hash = UnixCrypt::MD5.build("test")
     assert UnixCrypt.valid?("test", hash)
+
+    hash = UnixCrypt::MD5.build("test", "abcdefgh")
+    assert UnixCrypt.valid?("test", hash)
   end
 
-  def test_sha256_password_generation
+  def test_validity_of_sha256_password_generation
     hash = UnixCrypt::SHA256.build("test")
     assert UnixCrypt.valid?("test", hash)
+
+    hash = UnixCrypt::SHA256.build("test", "1234567890123456")
+    assert UnixCrypt.valid?("test", hash)
   end
 
-  def test_sha512_password_generation
+  def test_validity_of_sha512_password_generation
     hash = UnixCrypt::SHA512.build("test")
     assert UnixCrypt.valid?("test", hash)
+
+    hash = UnixCrypt::SHA512.build("test", "1234567890123456")
+    assert UnixCrypt.valid?("test", hash)
   end
 
-  def test_salt_generation
+  def test_structure_of_generated_passwords_and_salts
+    assert_match %r{\A[a-zA-Z0-9./]{13}\z}, UnixCrypt::DES.build("test password")
+    assert_match %r{\Azz[a-zA-Z0-9./]{11}\z}, UnixCrypt::DES.build("test password", 'zz')
+
     assert_match %r{\A\$1\$[a-zA-Z0-9./]{8}\$[a-zA-Z0-9./]{22}\z}, UnixCrypt::MD5.build("test password")
+    assert_match %r{\A\$1\$abcdefgh\$[a-zA-Z0-9./]{22}\z}, UnixCrypt::MD5.build("test password", "abcdefgh")
+
     assert_match %r{\A\$5\$[a-zA-Z0-9./]{16}\$[a-zA-Z0-9./]{43}\z}, UnixCrypt::SHA256.build("test password")
+    assert_match %r{\A\$5\$0123456789abcdef\$[a-zA-Z0-9./]{43}\z}, UnixCrypt::SHA256.build("test password", "0123456789abcdef")
+
     assert_match %r{\A\$6\$[a-zA-Z0-9./]{16}\$[a-zA-Z0-9./]{86}\z}, UnixCrypt::SHA512.build("test password")
+    assert_match %r{\A\$6\$0123456789abcdef\$[a-zA-Z0-9./]{86}\z}, UnixCrypt::SHA512.build("test password", "0123456789abcdef")
   end
 
   def test_password_generation_with_rounds
@@ -88,4 +113,10 @@ class UnixCryptTest < Test::Unit::TestCase
     assert_match %r{\A\$6\$rounds=1000\$[a-zA-Z0-9./]{16}\$[a-zA-Z0-9./]{86}\z}, hash
     assert UnixCrypt.valid?("test password", hash)
   end
+
+  def test_salt_is_not_longer_than_max_length
+    assert_raise(UnixCrypt::SaltTooLongError) { UnixCrypt::DES.build("test", "123") }
+    assert_raise(UnixCrypt::SaltTooLongError) { UnixCrypt::MD5.build("test", "123456789") }
+    assert_raise(UnixCrypt::SaltTooLongError) { UnixCrypt::SHA256.build("test", "12345678901234567") }
+  end
 end

data/unix-crypt.gemspec

@@ -1,4 +1,7 @@
-require './lib/unix_crypt'
+lib = File.expand_path('../lib/', __FILE__)
+$:.unshift lib unless $:.include?(lib)
+
+require 'unix_crypt'
 
 spec = Gem::Specification.new do |s|
   s.name         = 'unix-crypt'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unix-crypt
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.3.0
 platform: ruby
 authors:
 - Roger Nesbitt
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-09-23 00:00:00.000000000 Z
+date: 2013-12-11 00:00:00.000000000 Z
 dependencies: []
 description: Performs the UNIX crypt(3) algorithm using DES (standard 13 character
   passwords), MD5 (starting with $1$), SHA256 (starting with $5$) and SHA512 (starting
@@ -25,7 +25,11 @@ files:
 - Rakefile
 - bin/mkunixcrypt
 - lib/unix_crypt.rb
+- lib/unix_crypt/base.rb
 - lib/unix_crypt/command_line.rb
+- lib/unix_crypt/des.rb
+- lib/unix_crypt/md5.rb
+- lib/unix_crypt/sha.rb
 - test/test_unix_crypt.rb
 - test/unix_crypt/test_command_line.rb
 - unix-crypt.gemspec
@@ -49,7 +53,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.2
+rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
 summary: Performs the UNIX crypt(3) algorithm using DES, MD5, SHA256 or SHA512