To answer my own question:
Research went better today. The crucial part was finding out that PHP
crypt() is compatible with the FreeBSD MD5 crypt (dating from 1994, no
less). Armed with that knowledge, I turned up a few gems offering these
capabilities. crypt3 and unix-crypt both looked pretty good, and I went with
crypt3. Oh, and DES is native in Ruby as the String instance method crypt().
After that, authlogic makes it quite easy to add custom crypto providers:
module PhpCrypt
module CryptoProviders
class MD5
def self.encrypt *tokens
Crypt3.crypt tokens.join
end
def self.matches? crypted, *tokens
begin
Crypt3.check tokens.join, crypted
rescue
false
end
end
end
class DES
attr_writer :salt
def self.salt
@salt ||= "ab"
end
def self.encrypt *tokens
tokens.join.crypt salt
end
def self.matches? crypted, *tokens
salt = crypted[ 0..1 ]
crypted == tokens.join.crypt( salt )
end
end
end
end
...
acts_as_authentic do |c|
c.transition_from_crypto_providers [
PhpCrypt::CryptoProviders::DES,
PhpCrypt::CryptoProviders::MD5
]
end
I imagine it would be similarly possible to write crypto providers for the
other algorithms PHP offers. I can only hope that the googlebot indexes this
well enough to save someone else in my situation some time.
Ian
On Sun, Feb 27, 2011 at 1:08 PM, Ian Young <[email protected]> wrote:
> Hey all,
>
> I've got a project with a lot of existing accounts created in crappy PHP
> using the crypt() function, both with the MD5 implementation and with (gasp)
> DES. I'm working on using authlogic for the new authentication, but I need a
> way to validate these old hashes. Has anyone run into a similar problem
> before? It's looking a bit hairy (authlogic's MD5 crypto provider !=
> crypt()'s MD5), and I'm thinking I can't be the only one to have dealt with
> this, but Google isn't turning up anything useful.
>
> Thanks,
> Ian
>
--
SD Ruby mailing list
[email protected]
http://groups.google.com/group/sdruby
