class CryptCheckpass::SHA2
The sha256crypt / sha512crypt by Ulrich Drepper. Default for `/etc/shadow` of most Linux distributions. Also no security flaws are known at the moment.
### Newhash:
You can use `crypto_newhash` to create a new password hash using SHA2:
“`ruby crypt_newhash(password, id: 'sha256', rounds: 1024) “`
where:
- `password` is the raw binary password that you want to digest. - `id` is either "sha256" or "sha512". - `rounds` is for iteration rounds.
The generated password hash has following format.
### Format:
Hash strings generated by sha256crypt is constructed like this:
“`ruby %r{
(?<id> 5 ){0} (?<rounds> rounds=[1-9]\d{3,8} ){0} (?<salt> [A-Za-z0-9./]{,16} ){0} (?<csum> [A-Za-z0-9./]{43} ){0} \A [$] \g<id> (?: [$] \g<rounds> )? [$] \g<salt> [$] \g<csum> \z
}x “`
That of sha512crypt is constructed like this:
“`ruby %r{
(?<id> 6 ){0} (?<rounds> rounds=[1-9]\d{3,8} ){0} (?<salt> [A-Za-z0-9./]{,16} ){0} (?<csum> [A-Za-z0-9./]{86} ){0} \A [$] \g<id> (?: [$] \g<rounds> )? [$] \g<salt> [$] \g<csum> \z
}x “`
-
`id` is 5 for sha256crypt, 6 for sha512crypt.
-
`rounds` is, if present, the stretch rounds in decimal integer. Should be in range of 1,000 to 999,999,999 inclusive.
-
`salt` and `csum` are the salt and checksum strings. Both are encoded in base64-like strings that do not strictly follow RFC4648. The only difference between `$5$` and `$6$` is the length of csum.
@see www.akkadia.org/drepper/SHA-crypt.txt @example
crypt_newhash 'password', id: 'sha256' # => "$5$eWGIDuRO1LEg8sAB$Pjdxj3AVy4GnFfeOfz8Ek1Gn.vDwTFMMyNk56x/lc.4"
@example
crypt_checkpass? 'password', '$5$eWGIDuRO1LEg8sAB$Pjdxj3AVy4GnFfeOfz8Ek1Gn.vDwTFMMyNk56x/lc.4' # => true
@example
crypt_newhash 'password', id: 'sha512' # => "$6$oIlkXbDGlU.HktGx$L7xkRSQYLe/yCbz6hIM2JSY6EMtkr/CyvR71Bhr9VkotfEOUiwY8A0rAuSFmO1titWLA8hTKQXWl3ZX0QqokS0"
@example
crypt_checkpass? 'password', '$6$oIlkXbDGlU.HktGx$L7xkRSQYLe/yCbz6hIM2JSY6EMtkr/CyvR71Bhr9VkotfEOUiwY8A0rAuSFmO1titWLA8hTKQXWl3ZX0QqokS0' # => true
Public Class Methods
(see CryptCheckpass.checkpass?
)
# File lib/crypt_checkpass/sha2.rb, line 129 def self.checkpass? pass, hash require 'unix-crypt', 'unix_crypt' return UnixCrypt.valid? pass, hash end
(see CryptCheckpass.newhash
)
@param pass [String] raw binary password string. @param id [String] name of the algorithm. @param rounds [Integer] rounds of stretching.
# File lib/crypt_checkpass/sha2.rb, line 149 def self.newhash pass, id: 'sha256', rounds: nil require 'unix-crypt', 'unix_crypt' case id when 'sha256' then klass = UnixCrypt::SHA256 when 'sha512' then klass = UnixCrypt::SHA512 else raise ArgumentError, 'unknown id: %p', id end return klass.build pass, nil, rounds end
(see CryptCheckpass.provide?
)
# File lib/crypt_checkpass/sha2.rb, line 136 def self.provide? id case id when 'sha256', 'sha512' then return true else return false end end
(see CryptCheckpass.understand?
)
# File lib/crypt_checkpass/sha2.rb, line 108 def self.understand? str md = %r{ (?<id> 5 | 6 ){0} (?<rounds> rounds=[1-9]\d{3,8} ){0} (?<salt> [A-Za-z0-9./]{,16} ){0} (?<csum> [A-Za-z0-9./]{43,86} ){0} \A [$] \g<id> (?: [$] \g<rounds> )? [$] \g<salt> [$] \g<csum> \z }x.match str return false unless md case md['id'] when '5' then return md['csum'].length == 43 when '6' then return md['csum'].length == 86 end end