bcrypt-ruby 2.0.2 → 2.0.3

data/CHANGELOG

@@ -13,4 +13,9 @@
 
 2.0.2  Jun 06 2007
  - Fixed example code in the README [Winson]
- - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
+ - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
+
+2.0.3  May 07 2008
+ - Made exception classes descend from StandardError, not Exception [Dan42]
+ - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
+   sorting issues. [Lee Pope]

data/README

@@ -91,6 +91,8 @@ Check the rdocs for more details -- BCrypt, BCrypt::Password.
 
 bcrypt() is a hashing algorithm designed by Niels Provos and David Mazières of the OpenBSD Project.
 
+=== Background
+
 Hash algorithms take a chunk of data (e.g., your user's password) and create a "digital fingerprint," or hash, of it.
 Because this process is not reversible, there's no way to go from the hash back to the password.
 
@@ -102,11 +104,15 @@ You can store the hash and check it against a hash made of a potentially valid p
 
   <unique gibberish> =? hash(just_entered_password)
 
+=== Rainbow Tables
+
 But even this has weaknesses -- attackers can just run lists of possible passwords through the same algorithm, store the
 results in a big database, and then look up the passwords by their hash:
 
   PrecomputedPassword.find_by_hash(<unique gibberish>).password #=> "secret1"
 
+=== Salts
+
 The solution to this is to add a small chunk of random data -- called a salt -- to the password before it's hashed:
 
   hash(salt + p) #=> <really unique gibberish>
@@ -137,9 +143,17 @@ fingerprints as quickly as possible. bcrypt(), though, is designed to be computa
 If an attacker was using Ruby to check each password, they could check ~140,000 passwords a second with MD5 but only
 ~450 passwords a second with bcrypt().
 
+=== Cost Factors
+
 In addition, bcrypt() allows you to increase the amount of work required to hash a password as computers get faster. Old
 passwords will still work fine, but new passwords can keep up with the times.
 
+The default cost factor used by bcrypt-ruby is 10, which is fine for session-based authentication. If you are using a
+stateless authentication architecture (e.g., HTTP Basic Auth), you will want to lower the cost factor to reduce your
+server load and keep your request times down. This will lower the security provided you, but there are few alternatives.
+
+== More Information
+
 bcrypt() is currently used as the default password storage hash in OpenBSD, widely regarded as the most secure operating
 system available. 
 

data/Rakefile

@@ -7,7 +7,7 @@ require 'rake/rdoctask'
 require "benchmark"
 
 PKG_NAME = "bcrypt-ruby"
-PKG_VERSION   = "2.0.2"
+PKG_VERSION   = "2.0.3"
 PKG_FILE_NAME = "#{PKG_NAME}-#{PKG_VERSION}"
 PKG_FILES = FileList[
   '[A-Z]*',
@@ -26,7 +26,7 @@ CLOBBER.include(
   "doc/coverage"
 )
 
-task :default => [:spec]
+task :default => [:compile, :spec]
 
 desc "Run all specs"
 Spec::Rake::SpecTask.new do |t|
@@ -72,8 +72,7 @@ spec = Gem::Specification.new do |s|
   
   s.extensions = FileList["ext/extconf.rb"].to_a
   
-  s.autorequire = 'bcrypt'
-  s.author = ["Coda Hale"]
+  s.authors = ["Coda Hale"]
   s.email = "coda.hale@gmail.com"
   s.homepage = "http://bcrypt-ruby.rubyforge.org"
   s.rubyforge_project = "bcrypt-ruby"
@@ -89,6 +88,7 @@ task :compile => [:clean] do
   Dir.chdir('./ext')
   system "ruby extconf.rb"
   system "make"
+  Dir.chdir('..')
 end
 
 desc "Run a set of benchmarks on the compiled extension."

data/lib/bcrypt.rb

@@ -8,10 +8,10 @@ require "openssl"
 # hashing passwords.
 module BCrypt
   module Errors
-    class InvalidSalt   < Exception; end  # The salt parameter provided to bcrypt() is invalid.
-    class InvalidHash   < Exception; end  # The hash parameter provided to bcrypt() is invalid.
-    class InvalidCost   < Exception; end  # The cost parameter provided to bcrypt() is invalid.
-    class InvalidSecret < Exception; end  # The secret parameter provided to bcrypt() is invalid.
+    class InvalidSalt   < StandardError; end  # The salt parameter provided to bcrypt() is invalid.
+    class InvalidHash   < StandardError; end  # The hash parameter provided to bcrypt() is invalid.
+    class InvalidCost   < StandardError; end  # The cost parameter provided to bcrypt() is invalid.
+    class InvalidSecret < StandardError; end  # The secret parameter provided to bcrypt() is invalid.
   end
   
   # A Ruby wrapper for the bcrypt() extension calls.
@@ -28,7 +28,7 @@ module BCrypt
     
     # Given a secret and a valid salt (see BCrypt::Engine.generate_salt) calculates
     # a bcrypt() password hash.
-    def self.hash(secret, salt)
+    def self.hash_secret(secret, salt)
       if valid_secret?(secret)
         if valid_salt?(salt)
           __bc_crypt(secret.to_s, salt)
@@ -123,7 +123,7 @@ module BCrypt
       # 
       #   @password = BCrypt::Password.create("my secret", :cost => 13)
       def create(secret, options = { :cost => BCrypt::Engine::DEFAULT_COST })
-        Password.new(BCrypt::Engine.hash(secret, BCrypt::Engine.generate_salt(options[:cost])))
+        Password.new(BCrypt::Engine.hash_secret(secret, BCrypt::Engine.generate_salt(options[:cost])))
       end
     end
     
@@ -139,7 +139,7 @@ module BCrypt
     
     # Compares a potential secret against the hash. Returns true if the secret is the original secret, false otherwise.
     def ==(secret)
-      super(BCrypt::Engine.hash(secret, @salt))
+      super(BCrypt::Engine.hash_secret(secret, @salt))
     end
     alias_method :is_password?, :==
     
@@ -158,4 +158,4 @@ module BCrypt
       return v, c.to_i, h[0, 29], mash[-31, 31]
     end
   end
-end
+end

data/spec/bcrypt/engine_spec.rb

@@ -35,16 +35,16 @@ context "Generating BCrypt hashes" do
   end
   
   specify "should produce a string" do
-    BCrypt::Engine.hash(@password, @salt).should be_an_instance_of(String)
+    BCrypt::Engine.hash_secret(@password, @salt).should be_an_instance_of(String)
   end
   
   specify "should raise an InvalidSalt error if the salt is invalid" do
-    lambda { BCrypt::Engine.hash(@password, 'nino') }.should raise_error(BCrypt::Errors::InvalidSalt)
+    lambda { BCrypt::Engine.hash_secret(@password, 'nino') }.should raise_error(BCrypt::Errors::InvalidSalt)
   end
   
   specify "should raise an InvalidSecret error if the secret is invalid" do
-    lambda { BCrypt::Engine.hash(nil, @salt) }.should_not raise_error(BCrypt::Errors::InvalidSecret)
-    lambda { BCrypt::Engine.hash(false, @salt) }.should_not raise_error(BCrypt::Errors::InvalidSecret)
+    lambda { BCrypt::Engine.hash_secret(nil, @salt) }.should_not raise_error(BCrypt::Errors::InvalidSecret)
+    lambda { BCrypt::Engine.hash_secret(false, @salt) }.should_not raise_error(BCrypt::Errors::InvalidSecret)
   end
   
   specify "should be interoperable with other implementations" do
@@ -57,7 +57,7 @@ context "Generating BCrypt hashes" do
       ["0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", "$2a$05$abcdefghijklmnopqrstuu", "$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui"]
     ]
     for secret, salt, test_vector in test_vectors
-      BCrypt::Engine.hash(secret, salt).should eql(test_vector)
+      BCrypt::Engine.hash_secret(secret, salt).should eql(test_vector)
     end
   end
-end
+end

metadata

@@ -1,49 +1,46 @@
 --- !ruby/object:Gem::Specification 
-rubygems_version: 0.9.2
-specification_version: 1
 name: bcrypt-ruby
 version: !ruby/object:Gem::Version 
-  version: 2.0.2
-date: 2007-06-07 00:00:00 -07:00
-summary: OpenBSD's bcrypt() password hashing algorithm.
-require_paths: 
-- lib
-email: coda.hale@gmail.com
-homepage: http://bcrypt-ruby.rubyforge.org
-rubyforge_project: bcrypt-ruby
-description: bcrypt() is a sophisticated and secure hash algorithm designed by The OpenBSD project for hashing passwords. bcrypt-ruby provides a simple, humane wrapper for safely handling passwords.
-autorequire: bcrypt
-default_executable: 
-bindir: bin
-has_rdoc: true
-required_ruby_version: !ruby/object:Gem::Version::Requirement 
-  requirements: 
-  - - ">"
-    - !ruby/object:Gem::Version 
-      version: 0.0.0
-  version: 
+  version: 2.0.3
 platform: ruby
-signing_key: 
-cert_chain: 
-post_install_message: 
 authors: 
-- - Coda Hale
-files: 
-- CHANGELOG
+- Coda Hale
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2008-05-07 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: bcrypt() is a sophisticated and secure hash algorithm designed by The OpenBSD project for hashing passwords. bcrypt-ruby provides a simple, humane wrapper for safely handling passwords.
+email: coda.hale@gmail.com
+executables: []
+
+extensions: 
+- ext/extconf.rb
+extra_rdoc_files: 
+- README
 - COPYING
+- CHANGELOG
+- lib/bcrypt.rb
+files: 
 - Rakefile
+- COPYING
 - README
+- CHANGELOG
 - lib/bcrypt.rb
-- spec/bcrypt/engine_spec.rb
-- spec/bcrypt/password_spec.rb
 - spec/spec_helper.rb
+- spec/bcrypt/password_spec.rb
+- spec/bcrypt/engine_spec.rb
+- ext/blowfish.c
 - ext/bcrypt.c
 - ext/bcrypt_ext.c
-- ext/blowfish.c
 - ext/blf.h
 - ext/extconf.rb
-test_files: []
-
+has_rdoc: true
+homepage: http://bcrypt-ruby.rubyforge.org
+post_install_message: 
 rdoc_options: 
 - --title
 - bcrypt-ruby
@@ -51,16 +48,26 @@ rdoc_options:
 - --inline-source
 - --main
 - README
-extra_rdoc_files: 
-- README
-- COPYING
-- CHANGELOG
-- lib/bcrypt.rb
-executables: []
-
-extensions: 
-- ext/extconf.rb
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
 requirements: []
 
-dependencies: []
+rubyforge_project: bcrypt-ruby
+rubygems_version: 1.1.1
+signing_key: 
+specification_version: 2
+summary: OpenBSD's bcrypt() password hashing algorithm.
+test_files: []