GitLocker: The Coding Marketplace

Description:

crypt

crypt #
One-way string hashing for salted passwords using the Unix crypt format.
This package implements the SHA-256 crypt hash and SHA-512 crypt hash,
cryptographic hash formats that are specified in
"Unix crypt using SHA-256 and SHA-512"
(version: 0.6 2016-08-31).
These hashes are commonly used in Unix and POSIX systems, and in LDAP
entries as authentication credentials for POSIX accounts.
Crypt format strings #
It can produce crypt formatted string like:
$5$xYWYo0raYwLSchAd$na8cL1H.ESWtof6DNwraE6p8WI9DYObZ3irMe01Guk6
and
$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2.opqey6IcA
The format is a sequence of fields, leading and separated by a
dollar sign ($):

algorithm indicator;
number of rounds (optional if it is the default number of rounds);
the salt; and
the hash value.

The formated string starts with $5$ for a SHA-256 crypt and $6$
for a SHA-512 crypt. There are other (less secure) algorithms, but
they are currently not supported by this package.
When SHA-256 or SHA-512 is being used, the default number of rounds is
5000 (as defined by the specification).
Note: different systems use the crypt formatted string
differently. For example, as the value of the userPassword
attribute in an LDAP posixAccount entry, {crypt} needs to be
prepended to it. For example,
{crypt}$5$xYWYo0raYwLSchAd$na8cL1H.ESWtof6DNwraE6p8WI9DYObZ3irMe01Guk6
Usage #
Checking against a crypt format hash #
To test if an entered password matches the password that was used to
create a crypt format hash, create a Crypt object from the crypt
format has and invoke the match method on it.

bool isValid(String cryptFormatHash, String enteredPassword) =>
Crypt(cryptFormatHash).match(enteredPassword);
copied to clipboard
Generating a crypt format hash #
To generate a crypt format hash, use Crypt.sha256 or Crypt.sha512
constructors, and convert it to a String.
import 'package:crypt/crypt.dart';

void main() {
// Creating crypt strings

// Default rounds and random salt generated
final c1 = Crypt.sha256('p@ssw0rd');

// Random salt generated
final c2 = Crypt.sha256('p@ssw0rd', rounds: 10000);

// Default rounds
final c3 = Crypt.sha256('p@ssw0rd', salt: 'abcdefghijklmnop');

// No defaults used
final c4 = Crypt.sha256('p@ssw0rd', rounds: 10000,
salt: 'abcdefghijklmnop');

// SHA-512
final d1 = Crypt.sha512('p@ssw0rd');

print(c1);
print(c2);
print(c3);
print(c4);
print(d1);

// Comparing a value to a crypt hash

for (final hashString in [
r'$5$zQUCjEzs9jnrRdCK$dbo1i9WjQjbUwOC4JCRAZHpfd31Dh676vI0L6w0dZw1',
c1.toString(),
c2.toString(),
c3.toString(),
c4.toString(),
d1.toString(),
]) {
// Parse the crypt string: this extracts the type, rounds and salt
final h = Crypt(hashString);

const correctValue = 'p@ssw0rd';
const wrongValue = '123456';

if (!h.match(correctValue)) {
print('Error: unexpected non-match: $correctValue');
}

if (h.match(wrongValue)) {
print('Error: unexpected match: $wrongValue');
}
}
}
copied to clipboard
The above example produced the following output:
$5$jYq8PvB6hI3cLREQ$FGBjCL5NO1qSwync3LOlCWTnIBJCjVsFtst9jNnnBx9
$5$rounds=10000$wJiiNy1TwwaWhGFN$t2JsIqOgfXh/3LLQF.YA9XDlJmtpLYmSe4i9TZl7cM.
$5$abcdefghijklmnop$gUWLu9sDI2Qvs112Xb8jmgD3ySIRE5ek63jk6ybSs7D
$5$rounds=10000$abcdefghijklmnop$51muKIziT9VAyDZ2ZueAYvAwgIYx0cLxUCIAlPoWaHD
$6$LJgzW1oI9UZ5w8HO$pTL3hmFg2zBkQPqRhcej6CmY2Az0WLDVlnMGTg//71D3hDEvKCB7XqwtinHEM1rlD/YAlEjhy2Lb3LJQsNvXx.
copied to clipboard
Features and bugs #
Random number generators #
Salt generation uses a cryptographically secure random number
generator, if one is available. If one is not available, it falls back
to using a cryptographically insecure one.
Set Crypt.cryptographicallySecureSalts to true to prevent a
cryptographically insecure random number from being used. An
exception will then be thrown if attempting to generate a salt on
platforms that don't support a cryptographically secure random number
generator.
Explicitly set it to false to allow this fallback behaviour in future
releases. The default is currently set to false, for backward
compatibility. But a future release may set the default to true for
improved security. Explicitly setting it to false will ensure code
will still work when that breaking change is made.
Dependency on the crypto package #
The current release depends on the Dart crypto package
version 3.0.0, which has support for SHA-512. If you need to use an
older version of crypto, use version 2.0.0 of this package -- but
that older version won't have support for SHA-512 crypt strings
and is not null safe.
Please file feature requests and bugs at the GitHub issue tracker.