git ssb

Files: 17a8701b53ff97626f522f8ae1dcbabc3af61fcd / lib / bcrypt.rb

5649 bytesRaw

1 # A wrapper for OpenBSD's bcrypt/crypt_blowfish password-hashing algorithm.
2 
3 $: << "ext"
4 require "bcrypt_ext"
5 require "openssl"
6 
7 # A Ruby library implementing OpenBSD's bcrypt()/crypt_blowfish algorithm for
8 # hashing passwords.
9 module BCrypt
10   module Errors
11     class InvalidSalt   < StandardError; end  # The salt parameter provided to bcrypt() is invalid.
12     class InvalidHash   < StandardError; end  # The hash parameter provided to bcrypt() is invalid.
13     class InvalidCost   < StandardError; end  # The cost parameter provided to bcrypt() is invalid.
14     class InvalidSecret < StandardError; end  # The secret parameter provided to bcrypt() is invalid.
15   end
16   
17   # A Ruby wrapper for the bcrypt() extension calls.
18   class Engine
19     # The default computational expense parameter.
20     DEFAULT_COST    = 10
21     # Maximum possible size of bcrypt() salts.
22     MAX_SALT_LENGTH = 16
23     
24     # C-level routines which, if they don't get the right input, will crash the
25     # hell out of the Ruby process.
26     private_class_method :__bc_salt
27     private_class_method :__bc_crypt
28     
29     # Given a secret and a valid salt (see BCrypt::Engine.generate_salt) calculates
30     # a bcrypt() password hash.
31     def self.hash(secret, salt)
32       if valid_secret?(secret)
33         if valid_salt?(salt)
34           __bc_crypt(secret.to_s, salt)
35         else
36           raise Errors::InvalidSalt.new("invalid salt")
37         end
38       else
39         raise Errors::InvalidSecret.new("invalid secret")
40       end
41     end
42     
43     # Generates a random salt with a given computational cost.
44     def self.generate_salt(cost = DEFAULT_COST)
45       if cost.to_i > 0
46         __bc_salt(cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
47       else
48         raise Errors::InvalidCost.new("cost must be numeric and > 0")
49       end
50     end
51     
52     # Returns true if +salt+ is a valid bcrypt() salt, false if not.
53     def self.valid_salt?(salt)
54       salt =~ /^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/
55     end
56     
57     # Returns true if +secret+ is a valid bcrypt() secret, false if not.
58     def self.valid_secret?(secret)
59       secret.respond_to?(:to_s)
60     end
61     
62     # Returns the cost factor which will result in computation times less than +upper_time_limit_in_ms+.
63     # 
64     # Example:
65     # 
66     #   BCrypt.calibrate(200)  #=> 10
67     #   BCrypt.calibrate(1000) #=> 12
68     # 
69     #   # should take less than 200ms
70     #   BCrypt::Password.create("woo", :cost => 10)
71     # 
72     #   # should take less than 1000ms
73     #   BCrypt::Password.create("woo", :cost => 12)
74     def self.calibrate(upper_time_limit_in_ms)
75       40.times do |i|
76         start_time = Time.now
77         Password.create("testing testing", :cost => i+1)
78         end_time = Time.now - start_time
79         return i if end_time * 1_000 > upper_time_limit_in_ms
80       end
81     end
82   end
83   
84   # A password management class which allows you to safely store users' passwords and compare them.
85   # 
86   # Example usage:
87   # 
88   #   include BCrypt
89   # 
90   #   # hash a user's password  
91   #   @password = Password.create("my grand secret")
92   #   @password #=> "$2a$10$GtKs1Kbsig8ULHZzO1h2TetZfhO4Fmlxphp8bVKnUlZCBYYClPohG"
93   # 
94   #   # store it safely
95   #   @user.update_attribute(:password, @password)
96   # 
97   #   # read it back
98   #   @user.reload!
99   #   @db_password = Password.new(@user.password)
100   # 
101   #   # compare it after retrieval
102   #   @db_password == "my grand secret" #=> true
103   #   @db_password == "a paltry guess"  #=> false
104   # 
105   class Password < String
106     # The hash portion of the stored password hash.
107     attr_reader :hash
108     # The salt of the store password hash (including version and cost).
109     attr_reader :salt
110     # The version of the bcrypt() algorithm used to create the hash.
111     attr_reader :version
112     # The cost factor used to create the hash.
113     attr_reader :cost
114     
115     class << self
116       # Hashes a secret, returning a BCrypt::Password instance. Takes an optional <tt>:cost</tt> option, which is a
117       # logarithmic variable which determines how computational expensive the hash is to calculate (a <tt>:cost</tt> of
118       # 4 is twice as much work as a <tt>:cost</tt> of 3). The higher the <tt>:cost</tt> the harder it becomes for
119       # attackers to try to guess passwords (even if a copy of your database is stolen), but the slower it is to check
120       # users' passwords.
121       # 
122       # Example:
123       # 
124       #   @password = BCrypt::Password.create("my secret", :cost => 13)
125       def create(secret, options = { :cost => BCrypt::Engine::DEFAULT_COST })
126         Password.new(BCrypt::Engine.hash(secret, BCrypt::Engine.generate_salt(options[:cost])))
127       end
128     end
129     
130     # Initializes a BCrypt::Password instance with the data from a stored hash.
131     def initialize(raw_hash)
132       if valid_hash?(raw_hash)
133         self.replace(raw_hash)
134         @version, @cost, @salt, @hash = split_hash(self)
135       else
136         raise Errors::InvalidHash.new("invalid hash")
137       end
138     end
139     
140     # Compares a potential secret against the hash. Returns true if the secret is the original secret, false otherwise.
141     def ==(secret)
142       super(BCrypt::Engine.hash(secret, @salt))
143     end
144     alias_method :is_password?, :==
145     
146   private
147     # Returns true if +h+ is a valid hash.
148     def valid_hash?(h)
149       h =~ /^\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}$/
150     end
151     
152     # call-seq:
153     #   split_hash(raw_hash) -> version, cost, salt, hash
154     # 
155     # Splits +h+ into version, cost, salt, and hash and returns them in that order.
156     def split_hash(h)
157       b, v, c, mash = h.split('$')
158       return v, c.to_i, h[0, 29], mash[-31, 31]
159     end
160   end
161 end

Built with git-ssb-web

dangerousbeans / %aPBe2k3ugtjBr4rrsU1…

Tree: 17a8701b53ff97626f522f8ae1dcbabc3af61fcd

Files: 17a8701b53ff97626f522f8ae1dcbabc3af61fcd / lib / bcrypt.rb

1	# A wrapper for OpenBSD's bcrypt/crypt_blowfish password-hashing algorithm.
2
3	$: << "ext"
4	require "bcrypt_ext"
5	require "openssl"
6
7	# A Ruby library implementing OpenBSD's bcrypt()/crypt_blowfish algorithm for
8	# hashing passwords.
9	module BCrypt
10	module Errors
11	class InvalidSalt < StandardError; end # The salt parameter provided to bcrypt() is invalid.
12	class InvalidHash < StandardError; end # The hash parameter provided to bcrypt() is invalid.
13	class InvalidCost < StandardError; end # The cost parameter provided to bcrypt() is invalid.
14	class InvalidSecret < StandardError; end # The secret parameter provided to bcrypt() is invalid.
15	end
16
17	# A Ruby wrapper for the bcrypt() extension calls.
18	class Engine
19	# The default computational expense parameter.
20	DEFAULT_COST = 10
21	# Maximum possible size of bcrypt() salts.
22	MAX_SALT_LENGTH = 16
23
24	# C-level routines which, if they don't get the right input, will crash the
25	# hell out of the Ruby process.
26	private_class_method :__bc_salt
27	private_class_method :__bc_crypt
28
29	# Given a secret and a valid salt (see BCrypt::Engine.generate_salt) calculates
30	# a bcrypt() password hash.
31	def self.hash(secret, salt)
32	if valid_secret?(secret)
33	if valid_salt?(salt)
34	__bc_crypt(secret.to_s, salt)
35	else
36	raise Errors::InvalidSalt.new("invalid salt")
37	end
38	else
39	raise Errors::InvalidSecret.new("invalid secret")
40	end
41	end
42
43	# Generates a random salt with a given computational cost.
44	def self.generate_salt(cost = DEFAULT_COST)
45	if cost.to_i > 0
46	__bc_salt(cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
47	else
48	raise Errors::InvalidCost.new("cost must be numeric and > 0")
49	end
50	end
51
52	# Returns true if +salt+ is a valid bcrypt() salt, false if not.
53	def self.valid_salt?(salt)
54	salt =~ /^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/
55	end
56
57	# Returns true if +secret+ is a valid bcrypt() secret, false if not.
58	def self.valid_secret?(secret)
59	secret.respond_to?(:to_s)
60	end
61
62	# Returns the cost factor which will result in computation times less than +upper_time_limit_in_ms+.
63	#
64	# Example:
65	#
66	# BCrypt.calibrate(200) #=> 10
67	# BCrypt.calibrate(1000) #=> 12
68	#
69	# # should take less than 200ms
70	# BCrypt::Password.create("woo", :cost => 10)
71	#
72	# # should take less than 1000ms
73	# BCrypt::Password.create("woo", :cost => 12)
74	def self.calibrate(upper_time_limit_in_ms)
75	40.times do \|i\|
76	start_time = Time.now
77	Password.create("testing testing", :cost => i+1)
78	end_time = Time.now - start_time
79	return i if end_time * 1_000 > upper_time_limit_in_ms
80	end
81	end
82	end
83
84	# A password management class which allows you to safely store users' passwords and compare them.
85	#
86	# Example usage:
87	#
88	# include BCrypt
89	#
90	# # hash a user's password
91	# @password = Password.create("my grand secret")
92	# @password #=> "$2a$10$GtKs1Kbsig8ULHZzO1h2TetZfhO4Fmlxphp8bVKnUlZCBYYClPohG"
93	#
94	# # store it safely
95	# @user.update_attribute(:password, @password)
96	#
97	# # read it back
98	# @user.reload!
99	# @db_password = Password.new(@user.password)
100	#
101	# # compare it after retrieval
102	# @db_password == "my grand secret" #=> true
103	# @db_password == "a paltry guess" #=> false
104	#
105	class Password < String
106	# The hash portion of the stored password hash.
107	attr_reader :hash
108	# The salt of the store password hash (including version and cost).
109	attr_reader :salt
110	# The version of the bcrypt() algorithm used to create the hash.
111	attr_reader :version
112	# The cost factor used to create the hash.
113	attr_reader :cost
114
115	class << self
116	# Hashes a secret, returning a BCrypt::Password instance. Takes an optional <tt>:cost</tt> option, which is a
117	# logarithmic variable which determines how computational expensive the hash is to calculate (a <tt>:cost</tt> of
118	# 4 is twice as much work as a <tt>:cost</tt> of 3). The higher the <tt>:cost</tt> the harder it becomes for
119	# attackers to try to guess passwords (even if a copy of your database is stolen), but the slower it is to check
120	# users' passwords.
121	#
122	# Example:
123	#
124	# @password = BCrypt::Password.create("my secret", :cost => 13)
125	def create(secret, options = { :cost => BCrypt::Engine::DEFAULT_COST })
126	Password.new(BCrypt::Engine.hash(secret, BCrypt::Engine.generate_salt(options[:cost])))
127	end
128	end
129
130	# Initializes a BCrypt::Password instance with the data from a stored hash.
131	def initialize(raw_hash)
132	if valid_hash?(raw_hash)
133	self.replace(raw_hash)
134	@version, @cost, @salt, @hash = split_hash(self)
135	else
136	raise Errors::InvalidHash.new("invalid hash")
137	end
138	end
139
140	# Compares a potential secret against the hash. Returns true if the secret is the original secret, false otherwise.
141	def ==(secret)
142	super(BCrypt::Engine.hash(secret, @salt))
143	end
144	alias_method :is_password?, :==
145
146	private
147	# Returns true if +h+ is a valid hash.
148	def valid_hash?(h)
149	h =~ /^\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}$/
150	end
151
152	# call-seq:
153	# split_hash(raw_hash) -> version, cost, salt, hash
154	#
155	# Splits +h+ into version, cost, salt, and hash and returns them in that order.
156	def split_hash(h)
157	b, v, c, mash = h.split('$')
158	return v, c.to_i, h[0, 29], mash[-31, 31]
159	end
160	end
161	end

dangerousbeans / %aPBe2k3ugtjBr4rrsU1…

Tree: 17a8701b53ff97626f522f8ae1dcbabc3af61fcd master <input type="submit" value="Go"/>

Files: 17a8701b53ff97626f522f8ae1dcbabc3af61fcd / lib / bcrypt.rb

Tree: 17a8701b53ff97626f522f8ae1dcbabc3af61fcd