head

Image

code

item

root

para

L<Examples| file:../examples/index.podlite>


L<Download |file:../download/index.podlite>


React

=begin React :component<HeaderCol> :id<menu> 
=para L<Documentation|/doc/introduction>
=para L<Modules| /mods>
=para L<Examples| file:../examples/index.podlite>
=para L<Download |file:../download/index.podlite>
=para L<About|file:../about/index.podlite>
=para 🔍 K<⌘K>/K<ctrl-K>
=end React


HEADER

FOOTER

README

This is a binding to the crypt() function that is typically defined in
libcrypt on most Unix-like systems or those providing a POSIX API.


There is at least a single exported subroutine crypt() that perform a one-way
encryption of the supplied plain text, with the provided "salt".
Depending on the implementation on your system, the structure of the
salt may influence the algorithm that is used to perform the encryption.
The default will probably be the DES algorithm that was traditionally
used to encrypt passwords on a Unix system, this is, however, not recommended
for new code:  see the section "Encryption mechanisms" below.


If the function C<crypt_gensalt> is provided by the C<libcrypt> then you
can call C<crypt> with a single argument which will used the preferred
encryption method with a generated random salt.


Because this is intended primarily for the encryption of passwords and
is "one way" (i.e. there is no mechanism to "decrypt" the crypt text,)
it is not suitable for general purpose encryption.


In order to check whether a password entered by a user is correct it
should be encrypted using the stored encrypted password as the "salt"
- the result will be the same as the stored crypt text if the password
is the same.


Depending on the particular implementation of C<crypt> on your system, there
may be more than one encryption available which is determined by the structure
of the provided C<salt>.  The default mechanism when the salt is two or
more alphanumeric characters is the DES algorithm which was the original
provided on Unix systems, it is however fairly weak and subject to brute
force attack so should be avoided where possible.


If alternative algorithms are available they are indicated by providing a
salt of the form:


=begin code

    $id$salt$encrypted

=end code


where C<id> identifies the encryption method to be used.  The actual
"salt" will be terminated with a C<$> as it may be of variable length
rather than the DES salt length of 2. The text after the third C<$>
will be ignored to allow an encrypted value to be passed as the salt in
further calls to C<crypt()>


The following values of C<id> may or may not be implemented on any given
system (or at all,) and the behaviour when using an un-implemented form is
not specified.


The MD5 algorithm is implemented on the majority of systems as it was provided
for use in places where export regulations originally prevented the use of
DES.


Blowfish is not implemented for C<glibc> but is available on FreeBSD


NT-Hash is available on FreeBSD and is intended to be compatible with
Microsoft's NT scheme.  It actually ignores the salt text.


You can probably get a description of all available methods on
your system from the C<crypt(5)> manpage (or e,g
L<https://manpages.debian.org/experimental/libcrypt1-dev/crypt.5.en.html> .)


If you have a reasonably modern C<libcrypt> then the subroutine
C<crypt-preferred-method> will return the prefix '$id$' as
described above of the best and recommended encryption method.
(if the library isn't sufficiently new the function will return
a Str type object.) Bear in mind however if you need to pass the
hashed password to other software, there may be other constraints
on the methods you can use.


use v6;

module Crypt::Libcrypt:ver<0.1.1>:auth<github:jonathanstowe>:api<1.0> {



Crypt::Libcrypt - simple binding to POSIX crypt(3)


NAME

=begin code

    use Crypt::Libcrypt;

    my $crypted = crypt($password, $salt );

    # Or if crypt_gensalt is available

    $crypted = crypt($password);

=end code


SYNOPSIS

DESCRIPTION


    use NativeCall;
    # Mac OSX uses libgcrypt to supply crypt()
    # FreeBSD always provides a non-versioned symlink AFAIK
    constant LIB = [
        $*DISTRO.name eq 'macosx' ?? 'libgcrypt.dylib' !! 'crypt',
        $*DISTRO.name eq 'freebsd' ?? Version !! v1
    ];


    sub crypt_preferred_method( --> Str) is native(LIB) { * }

    sub crypt-preferred-method(--> Str ) is export {
        (try crypt_preferred_method()) // Str
    }

    sub crypt_gensalt(Str, uint32, Str, int32 --> Str) is native(LIB) { * }

    sub crypt-generate-salt( --> Str ) is export {
        (try crypt_gensalt(Str, 0, Str, 0 ) ) // Str
    }

    sub _crypt(Str , Str  --> Str) is native(LIB) is symbol('crypt') { * }

    multi crypt(Str $password, Str $salt --> Str ) is export {
        _crypt($password, $salt)
    }

    multi crypt(Str $password where { crypt-preferred-method() } --> Str ) is export {
        _crypt($password, crypt-generate-salt() );
    }
}
# vim: expandtab shiftwidth=4 ft=raku


Crypt::AnyPasswordHash - use best installed password encryption


=begin code

use Crypt::AnyPasswordHash;

my $password = 'somepassword';

my Str $hash = hash-password($password);

if check-password($hash, $password ) {
    # password ok
}

=end code


This module exports two subroutines C<hash-password> and C<check-password>
which encrypt password and check a provided password against an encrypted hash.


The implementation for the C<hash-password> is provided by the first of:


which can be found.  C<Crypt::Libcrypt> will be installed as a dependency so it
will nearly always work but is dependent on the mechanisms provided by the C<libcrypt>:
with a fairly recent C<libcrypt> it will be able to determine and use the best
available algorithm, falling back to attempt SHA-512, however if that isn't available
it may fall back to DES which is not considered secure enough for production use. You
can tell you are getting DES when the hash returned by C<hash-password> is only 13
characters long, if this is the case then you should install one of the other providers.


The C<check-password> will attempt to validate against all the available mechanisms
until one validates the password or the mechanisms are exhausted.  This is so that, if
you are validating against stored hashes, if a new supported module is installed or
this module is upgraded then you will still be able to verify against hashes made by a
previous mechanism.




module Crypt::AnyPasswordHash {
}

sub EXPORT() {
    my &hash-password;
    my @checkers;

    my $DEBUG = ?%*ENV<CAPH_DEBUG> // False;

    my sub debug-load(Str $message) {
        note $message if $DEBUG;

    }

    {
        CATCH {
            default {
                debug-load("Couldn't load 'Crypt::SodiumPasswordHash'");
            }
        }
        if (require ::('Crypt::SodiumPasswordHash') <&sodium-hash &sodium-verify>) !=== Nil {
            if !&hash-password.defined {
                debug-load("Selected 'Crypt::SodiumPasswordHash'");
                &hash-password = &sodium-hash;
            }
            @checkers.append: &sodium-verify;
        }
    }
    {
        CATCH {
            default {
                debug-load("Couldn't load 'Crypt::Argon2'");
            }
        }
        if (require ::('Crypt::Argon2') <&argon2-hash &argon2-verify>) !=== Nil {
            if !&hash-password.defined {
                debug-load("Selected load 'Crypt::Argon2'");
                &hash-password = sub ( Str $password --> Str ) {
                    argon2-hash($password).subst(/\0+$/,'');
                };
            }
            @checkers.append: &argon2-verify;
        }
    }
    {
        CATCH {
            default {
                debug-load("Couldn't load 'Crypt::LibScrypt'");
            }
        }
        if ( require ::('Crypt::LibScrypt') <&scrypt-hash &scrypt-verify>) !=== Nil {
            if !&hash-password.defined {
                debug-load("Selected load 'Crypt::LibScrypt'");
                &hash-password = &scrypt-hash;
            }
            @checkers.append: &scrypt-verify;
        }
    }
    {
        CATCH {
            default {
                debug-load("Couldn't load 'Crypt::SodiumScrypt'");
            }
        }
        if ( require ::('Crypt::SodiumScrypt') <&scrypt-hash &scrypt-verify>) !=== Nil {
            if !&hash-password.defined {
                debug-load("Selected load 'Crypt::SodiumScrypt'");
                &hash-password = &scrypt-hash;
            }
            @checkers.append: &scrypt-verify;
        }
    }
    {
        CATCH {
            default {
                debug-load("Couldn't load 'Crypt::Bcrypt'");
            }
        }
        if ( require ::('Crypt::Bcrypt') <&bcrypt-hash &bcrypt-match>) !=== Nil {
            if !&hash-password.defined {
                debug-load("Selected load 'Crypt::Bcrypt'");
                &hash-password = &bcrypt-hash;
            }
            @checkers.append: sub ( Str $hash, Str $password --> Bool ) {
                bcrypt-match($password, $hash);
            };
        }
    }
    {
        CATCH {
            default {
                debug-load("Couldn't load 'Crypt::LibCrypt'");
            }
        }
        # Without the 'try' here it ends up by attempting to serialize a VMException under
        # some circumstances that appears to be related to when consumer is compiled
        if ( try require ::('Crypt::Libcrypt') <&crypt &crypt-generate-salt>) !=== Nil {
            if !&hash-password.defined {
                debug-load("Selected load 'Crypt::LibCrypt'");
                sub generate-salt(--> Str) {
                    if crypt-generate-salt() -> $salt {
                        $salt;
                    }
                    else {
                        my @chars = (|("a" .. "z"), |("A" .. "Z"), |(0 .. 9));
                        if $*DISTRO.name eq 'macosx' {
                            @chars.pick(2).join;
                        }
                        else {
                            '$6$' ~ @chars.pick(16).join ~ '$';
                        }
                    }
                }

                &hash-password = sub ( Str $password --> Str ) {
                    crypt($password, generate-salt());
                };
            }

            @checkers.append: sub ( Str $hash, Str $password --> Bool ) {
                (crypt($password, $hash) // '' )  eq $hash
            };
        }
    }
    if !&hash-password.defined {
       die q:to/EOMESS/;
        No hashing module installed, please install one of 'Crypt::SodiumPasswordHash', 'Crypt::Argon2', 'Crypt::SodiumScrypt' or 'Crypt::Libcrypt'
       EOMESS
    }

    my &check-password = sub ( Str $hash, Str $password --> Bool ) {
        my $rc = False;
        for @checkers -> &check {
            if check($hash, $password ) {
                $rc = True;
                last;
            }
        }
        $rc;
    };

    %(
        '&hash-password'    =>  &hash-password,
        '&check-password'   =>  &check-password
    );
}

# vim: expandtab shiftwidth=4 ft=raku


AnyPasswordHash

The Raku Knowledge Base


=begin React :component<HeaderCol> :id<footer>  
=begin nested :!nested
=item1 B<Language>
    =item2 L<Get started|file:../getting-started/getting-started.podlite>
    =item2 L<Why Raku?|/doc/language/faq#Why-should-I-learn-Raku-What's-so-great-about-it>
    =item2 L<Try Raku|https://glot.io/new/raku>
    =item2 L<Raku cheat sheet|https://github.com/Raku/mu/blob/master/docs/Perl6/Cheatsheet/cheatsheet.txt>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<Raku on Exercism|https://exercism.org/tracks/raku>
    =item2 L<Wikipedia|https://en.wikipedia.org/wiki/Raku_(programming_language)>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<empty|#>

=end nested
=begin nested :!nested

=item1 B<L<Documentation|/doc>>
    =item2 L<Getting started, Migration guides from other languages, & Tutorials | file:../doc/introduction.podlite>
    =item2 L<Language References|file:../doc/reference.podlite>
    =item2 L<Type Reference| file:../doc/types.podlite>
    =item2 L<Miscellaneous| file:../doc/miscellaneous.podlite>
    =item2 L<FAQs (Frequently Asked Questions)|/doc/language/faq>
    =item2 L<Community|/doc/language/community>
    =item2 L<The list of all documents|file:../doc/index.podlite>

=item1 B<Resources>
    =item2 L<The Raku Guide|https://raku.guide/>
    =item2 L<Books |https://perl6book.com/>
    =item2 L<Rosetta Code | https://www.raku.org/community/rosettacode>

=end nested
=begin nested :!nested

=item1 B<Resoures>
    =item2 L<Download | file:../download/index.podlite>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<empty|#>

=item1 B<Learning>
    =item2 L<The Raku Guide|https://raku.guide/>
    =item2 L<Wikibook |https://en.wikibooks.org/wiki/Raku_Programming>
    =item2 L<Books |https://perl6book.com/>
    =item2 L<Rosetta Code | https://www.raku.org/community/rosettacode>
    =item2 L<Learn Raku in Y minutes|https://learnxinyminutes.com/docs/raku/>
    =item2 L<Golfing |https://github.com/AlexDaniel/raku-golf-cheatsheet>
=end nested
=begin nested :!nested

=item1 B<Explore>
    =item2 L<Raku Blog Aggregator|https://planet.raku.org/>
    =item2 L<Rakudo Weekly|https://rakudoweekly.blog/>
    =item2 L<The Weekly Challenge |https://perlweeklychallenge.org/>
    =item2 L<Raku Advent Calendar|https://raku-advent.blog/>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<empty|#>
    =item2 L<empty|#>

=end nested
=end React


=begin React :component<CookieConsent> :id<CookieConsent> :buttonCaption("Got it!")
=para
This website uses cookies for analytics.
=end React


README

Crypt::AnyPasswordHash

image i_github_com_jonathanstowe_crypt_anypasswordhash_workflows_ci_badge_svg not found

Synopsis

Description

Installation

Support

Licence

Crypt::AnyPasswordHash v0.1.3

Authors

License

Dependencies

Test Dependencies

Provides

Documentation