class CryptCheckpass::SHA2

The sha256crypt / sha512crypt by Ulrich Drepper. Default for `/etc/shadow` of most Linux distributions. Also no security flaws are known at the moment.

### Newhash:

You can use `crypto_newhash` to create a new password hash using SHA2:

“`ruby crypt_newhash(password, id: 'sha256', rounds: 1024) “`

where:

- `password` is the raw binary password that you want to digest.

- `id` is either "sha256" or "sha512".

- `rounds` is for iteration rounds.

The generated password hash has following format.

### Format:

Hash strings generated by sha256crypt is constructed like this:

“`ruby %r{

(?<id>     5                   ){0}
(?<rounds> rounds=[1-9]\d{3,8} ){0}
(?<salt>   [A-Za-z0-9./]{,16}  ){0}
(?<csum>   [A-Za-z0-9./]{43}   ){0}

\A     [$] \g<id>
   (?: [$] \g<rounds> )?
       [$] \g<salt>
       [$] \g<csum>
\z

}x “`

That of sha512crypt is constructed like this:

“`ruby %r{

(?<id>     6                   ){0}
(?<rounds> rounds=[1-9]\d{3,8} ){0}
(?<salt>   [A-Za-z0-9./]{,16}  ){0}
(?<csum>   [A-Za-z0-9./]{86}   ){0}

\A     [$] \g<id>
   (?: [$] \g<rounds> )?
       [$] \g<salt>
       [$] \g<csum>
\z

}x “`

@see www.akkadia.org/drepper/SHA-crypt.txt @example

crypt_newhash 'password', id: 'sha256'
# => "$5$eWGIDuRO1LEg8sAB$Pjdxj3AVy4GnFfeOfz8Ek1Gn.vDwTFMMyNk56x/lc.4"

@example

crypt_checkpass? 'password', '$5$eWGIDuRO1LEg8sAB$Pjdxj3AVy4GnFfeOfz8Ek1Gn.vDwTFMMyNk56x/lc.4'
# => true

@example

crypt_newhash 'password', id: 'sha512'
# => "$6$oIlkXbDGlU.HktGx$L7xkRSQYLe/yCbz6hIM2JSY6EMtkr/CyvR71Bhr9VkotfEOUiwY8A0rAuSFmO1titWLA8hTKQXWl3ZX0QqokS0"

@example

crypt_checkpass? 'password', '$6$oIlkXbDGlU.HktGx$L7xkRSQYLe/yCbz6hIM2JSY6EMtkr/CyvR71Bhr9VkotfEOUiwY8A0rAuSFmO1titWLA8hTKQXWl3ZX0QqokS0'
# => true

Public Class Methods

checkpass?(pass, hash) click to toggle source

(see CryptCheckpass.checkpass?)

# File lib/crypt_checkpass/sha2.rb, line 129
def self.checkpass? pass, hash
  require 'unix-crypt', 'unix_crypt'

  return UnixCrypt.valid? pass, hash
end
newhash(pass, id: 'sha256', rounds: nil) click to toggle source

(see CryptCheckpass.newhash)

@param pass [String] raw binary password string. @param id [String] name of the algorithm. @param rounds [Integer] rounds of stretching.

# File lib/crypt_checkpass/sha2.rb, line 149
def self.newhash pass, id: 'sha256', rounds: nil
  require 'unix-crypt', 'unix_crypt'

  case id
  when 'sha256' then
    klass = UnixCrypt::SHA256
  when 'sha512' then
    klass = UnixCrypt::SHA512
  else
    raise ArgumentError, 'unknown id: %p', id
  end
  return klass.build pass, nil, rounds
end
provide?(id) click to toggle source

(see CryptCheckpass.provide?)

# File lib/crypt_checkpass/sha2.rb, line 136
def self.provide? id
  case id when 'sha256', 'sha512' then
    return true
  else
    return false
  end
end
understand?(str) click to toggle source

(see CryptCheckpass.understand?)

# File lib/crypt_checkpass/sha2.rb, line 108
def self.understand? str
  md = %r{
    (?<id>     5 | 6                ){0}
    (?<rounds> rounds=[1-9]\d{3,8}  ){0}
    (?<salt>   [A-Za-z0-9./]{,16}   ){0}
    (?<csum>   [A-Za-z0-9./]{43,86} ){0}

    \A     [$] \g<id>
       (?: [$] \g<rounds> )?
           [$] \g<salt>
           [$] \g<csum>
    \z
  }x.match str
  return false unless md
  case md['id']
  when '5' then return md['csum'].length == 43
  when '6' then return md['csum'].length == 86
  end
end