Forum: JRuby String#crypt behaving differently that in MRI

Aed90714f90b6daf64087984740640bf?d=identicon&s=25 henning mueller (Guest)
on 2013-09-19 13:45
(Received via mailing list)
Hey,

I tried getting a Rails project working on JRuby 1.7.4 and a test
regarding password hashes failed. Passwords hashes are created by:

password.crypt('$6$' + salt)

On MRI (2.0.0-p247), this returns a proper sha512-crypt hash. In JRuby a
significantly shorter hash with two characters salt is returned:

"foobar".crypt('$6$2mlKb.sZpswpnZlt')
=> "$6GFbj3O6XCj2"

Is this expected behaviour? For me this looks like nothing, the crypt(3)
function of glibc even supports. Do I have to use an external gem to
generate sha512-crypt hashes?

Thanks in advance!
henning
F1d37642fdaa1662ff46e4c65731e9ab?d=identicon&s=25 Charles Nutter (headius)
on 2013-09-19 18:21
(Received via mailing list)
Can you put this in the form of a bug report on Github with some code
to reproduce the effect?

We certainly don't use the libc crypt but we should produce the same
result as MRI.

An alternative that you (or we) could potentially use would be to FFI
bind the actual crypt function. I've done a prototype here:
https://gist.github.com/headius/6625851

There's also a Ruby DES library here:
https://github.com/robertsosinski/ruby-des

In any case, we should do the right thing when you use built-in
libraries, so file an issue please.

- Charlie
13313ac2ec7ba7c43b1b952db034ff3b?d=identicon&s=25 Thomas E Enebo (Guest)
on 2013-09-19 18:36
(Received via mailing list)
Hmmm, my 2.0pl247 does not do this:

% jruby -e 'p "foobar".crypt(%q($6$2mlKb.sZpswpnZlt))'
"$6GFbj3O6XCj2"
% mri19 -e 'p "foobar".crypt(%q($6$2mlKb.sZpswpnZlt))'
"$6GFbj3O6XCj2"
% mri20 -e 'p "foobar".crypt(%q($6$2mlKb.sZpswpnZlt))'
"$6GFbj3O6XCj2"

Could this be some gem which is monkey-patching this method?

This output has been what I have expected from crypt for the last 25+
years
(2char salt prepended to front), but I agree this version of crypt is
getting outdated and probably should be a much more robust one-way hash
:)

-Tom
13313ac2ec7ba7c43b1b952db034ff3b?d=identicon&s=25 Thomas E Enebo (Guest)
on 2013-09-19 18:38
(Received via mailing list)
Perhaps this is just a difference as Charlie mentioned that glibc#crypt
is
different on different OSes now (I am running on MacOS)?  If so then we
will for sure need to use FFI to hook into this...

-Tom
Aed90714f90b6daf64087984740640bf?d=identicon&s=25 henning mueller (Guest)
on 2013-09-22 13:18
(Received via mailing list)
Hey,

Am 19.09.2013 18:18, schrieb Charles Oliver Nutter:
> Can you put this in the form of a bug report on Github with some code
> to reproduce the effect?

I filed a bug report on GitHub:
https://github.com/jruby/jruby/issues/1035

Thanks for your efforts!
henning
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.