String#crypt behaving differently that in MRI

Sadaf_N · September 19, 2013, 1:45pm

Hey,

I tried getting a Rails project working on JRuby 1.7.4 and a test
regarding password hashes failed. Passwords hashes are created by:

password.crypt(’$6$’ + salt)

On MRI (2.0.0-p247), this returns a proper sha512-crypt hash. In JRuby a
significantly shorter hash with two characters salt is returned:

“foobar”.crypt(’$6$2mlKb.sZpswpnZlt’)
=> “$6GFbj3O6XCj2”

Is this expected behaviour? For me this looks like nothing, the crypt(3)
function of glibc even supports. Do I have to use an external gem to
generate sha512-crypt hashes?

Thanks in advance!
henning

henning_mueller · September 19, 2013, 6:21pm

Can you put this in the form of a bug report on Github with some code
to reproduce the effect?

We certainly don’t use the libc crypt but we should produce the same
result as MRI.

An alternative that you (or we) could potentially use would be to FFI
bind the actual crypt function. I’ve done a prototype here:

gist.github.com

https://gist.github.com/headius/6625851

ffi_crypt.rb

require 'ffi'

module Crypt
  extend FFI::Library
  ffi_lib 'c'

  attach_function :crypt, [:string, :string], :string
end

p Crypt.crypt 'this is a string', 'this is the salt'

There’s also a Ruby DES library here:

In any case, we should do the right thing when you use built-in
libraries, so file an issue please.

Charlie

henning_mueller · September 19, 2013, 6:36pm

Hmmm, my 2.0pl247 does not do this:

% jruby -e ‘p “foobar”.crypt(%q($6$2mlKb.sZpswpnZlt))’
“$6GFbj3O6XCj2”
% mri19 -e ‘p “foobar”.crypt(%q($6$2mlKb.sZpswpnZlt))’
“$6GFbj3O6XCj2”
% mri20 -e ‘p “foobar”.crypt(%q($6$2mlKb.sZpswpnZlt))’
“$6GFbj3O6XCj2”

Could this be some gem which is monkey-patching this method?

This output has been what I have expected from crypt for the last 25+
years
(2char salt prepended to front), but I agree this version of crypt is
getting outdated and probably should be a much more robust one-way hash

-Tom

henning_mueller · September 19, 2013, 6:38pm

Perhaps this is just a difference as Charlie mentioned that glibc#crypt
is
different on different OSes now (I am running on MacOS)? If so then we
will for sure need to use FFI to hook into this…

-Tom

henning_mueller · September 22, 2013, 1:18pm

Hey,

Am 19.09.2013 18:18, schrieb Charles Oliver N.:

Can you put this in the form of a bug report on Github with some code
to reproduce the effect?

I filed a bug report on GitHub:

github.com/jruby/jruby

String#crypt behaving differently that in MRI

opened 11:09AM - 22 Sep 13 UTC

closed 08:58PM - 08 Dec 14 UTC

nning

core

I tried getting a Rails project working on JRuby 1.7.4 and a test regarding pass…word hashes failed. Passwords hashes are created by: <pre> password.crypt('$6$' + salt) </pre> On JRuby 1.7.4 the output looks like: <pre> $ jruby -e 'p "foobar".crypt(%q($6$2mlKb.sZpswpnZlt))' "$6GFbj3O6XCj2" </pre> On MRI 1.9.3-p448: <pre> $ mri19 -e 'p "foobar".crypt(%q($6$2mlKb.sZpswpnZlt))' "$6$2mlKb.sZpswpnZlt$yT2dFkrWNtGzxVDgTon7BN2RSh8QRZAznZn.d6ocP/QkAXMTKVXTi0z931ocCYQhvFPzlZPr/OPEmfw8C9pDJ." </pre> And on MRI 2.0.0-247: <pre> $ mri20 -e 'p "foobar".crypt(%q($6$2mlKb.sZpswpnZlt))' "$6$2mlKb.sZpswpnZlt$yT2dFkrWNtGzxVDgTon7BN2RSh8QRZAznZn.d6ocP/QkAXMTKVXTi0z931ocCYQhvFPzlZPr/OPEmfw8C9pDJ." </pre> I am developing on Arch Linux with glibc 2.18, RUBY_DESCRIPTION in JRuby is: <pre> jruby 1.7.4 (1.9.3p392) 2013-05-16 2390d3b on OpenJDK 64-Bit Server VM 1.7.0_40-b31 +indy [linux-amd64] </pre>

Thanks for your efforts!
henning