[ANN] phpass password hashing for Lua

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[ANN] phpass password hashing for Lua

Nagaev Boris
Hi all,

I'm very pleasure to announce that Lua implementation of the portable
PHP password hashing framework is avaliable.

================================================
Homepage: https://github.com/starius/lua-phpass
Installation: luarocks install phpass
Dependencies: LuaCrypto
License: MIT
================================================

phpass (pronounced "pH pass") is a portable public domain password
hashing framework for use in PHP applications [1]. phpass has been
integrated into WordPress, bbPress, Vanilla, PivotX, Chyrp, Textpattern
and concrete5.

This Lua module implements a subset of phpass (iterated MD5). It's
sufficient to create and check a password hash compatible with portable
phpass hash, e.g. a password from wordpress database. Blowfish-based
bcrypt and BSDI-style extended DES-based hashes are not supported.

The code was tested against Lua 5.1, 5.2 and LuaJIT 2.0, 2.1.
LuaCrypto fails to build against Lua 5.3.

Usage
-----

    phpass = require 'phpass'
    password = 'test12345'
    hash = phpass.hashPassword(password)
    --> "$P$EYyDnrNHtS2MG5vTVkvXD6wMnd0C/N/"
    phpass.checkPassword(password, hash) --> true
    phpass.checkPassword('other password', hash) --> false

Notes
-----

Python-phpass, python implementation of phpass [2] was used as a reference.

The algorithm used in phpass.hashPassword generates random salt, so
this function returns different hashes for a password.

phpass.hashPassword has second argument, count_log2, which is log2 of
number of iterations. The algorithm of hashing is as follows:

    count = 2 ^ count_log2
    salt = ...
    hash = md5(salt .. password)
    for i = 1, count do
        hash = md5(hash .. password)
    end

[1] http://www.openwall.com/phpass/
[2] https://github.com/exavolt/python-phpass

--


Best regards,
Boris Nagaev

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] phpass password hashing for Lua

Luiz Henrique de Figueiredo
> LuaCrypto fails to build against Lua 5.3.

For the record, lcrypto.c compiles fine under Lua 5.3 with -DLUA_COMPAT_5_2.

It also compiles fine under Lua 5.3 without -DLUA_COMPAT_5_2 if you
change this single line in lcrypto.c:
<     size_t count = (size_t)luaL_checkint(L, 1);
---
>     size_t count = (size_t)luaL_checkinteger(L, 1);

I've tested this with LuaCrypto from
        http://mkottman.github.io/luacrypto/
        https://github.com/mkottman/luacrypto

Indeed, ./configure did not work for me under Mac OS X: it complained
about failing to find pkg-config for Lua. But the simple commands below
built crypto.so:
        cc -c -DLUA_COMPAT_5_2 -Wno-deprecated lcrypto.c
        cc -bundle -undefined dynamic_lookup -o crypto.so lcrypto.o -lcrypto

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] phpass password hashing for Lua

Roberto Ierusalimschy
> > LuaCrypto fails to build against Lua 5.3.
>
> For the record, lcrypto.c compiles fine under Lua 5.3 with -DLUA_COMPAT_5_2.
>
> It also compiles fine under Lua 5.3 without -DLUA_COMPAT_5_2 if you
> change this single line in lcrypto.c:
> <     size_t count = (size_t)luaL_checkint(L, 1);
> ---
> >     size_t count = (size_t)luaL_checkinteger(L, 1);

Note that this change is backward compatible with Lua 5.2 and Lua
5.1. (And it can be slightly better than the original in those versions,
when 'size_t' is larger than 'int'...)

-- Roberto

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] phpass password hashing for Lua

Nagaev Boris
In reply to this post by Luiz Henrique de Figueiredo
On Wed, May 13, 2015 at 11:28 AM, Luiz Henrique de Figueiredo
<[hidden email]> wrote:

>> LuaCrypto fails to build against Lua 5.3.
>
> For the record, lcrypto.c compiles fine under Lua 5.3 with -DLUA_COMPAT_5_2.
>
> It also compiles fine under Lua 5.3 without -DLUA_COMPAT_5_2 if you
> change this single line in lcrypto.c:
> <     size_t count = (size_t)luaL_checkint(L, 1);
> ---
>>     size_t count = (size_t)luaL_checkinteger(L, 1);
>

Thank you for pointing out! The patch works.

I have applied this patch to my fork of LuaCrypto [1]. There is also
the modified version of rockspec for version 0.3.2 [2], which installs
modified LuaCrypto. Finally the Travis build against Lua 5.3 succeeded
[3]. Thank you!

[1] https://github.com/starius/luacrypto
[2] https://gist.githubusercontent.com/starius/b20d3e63929ae678c857/raw/4b4499f442337b6f577422364358590bd00c9d48/luacrypto-0.3.2-2.rockspec
[3] https://travis-ci.org/starius/lua-phpass/jobs/62408040


--


Best regards,
Boris Nagaev