bcrypt 3.1.11-java → 3.1.15-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.travis.yml +18 -11
- data/CHANGELOG +76 -59
- data/Gemfile.lock +16 -23
- data/README.md +68 -77
- data/Rakefile +2 -23
- data/appveyor.yml +50 -0
- data/bcrypt.gemspec +1 -3
- data/ext/jruby/bcrypt_jruby/BCrypt.java +524 -351
- data/ext/mri/bcrypt_ext.c +3 -3
- data/ext/mri/crypt.h +12 -1
- data/ext/mri/crypt_blowfish.c +269 -152
- data/ext/mri/crypt_blowfish.h +27 -0
- data/ext/mri/crypt_gensalt.c +27 -14
- data/ext/mri/crypt_gensalt.h +30 -0
- data/ext/mri/extconf.rb +6 -0
- data/ext/mri/ow-crypt.h +25 -17
- data/ext/mri/wrapper.c +338 -46
- data/ext/mri/x86.S +203 -0
- data/lib/bcrypt.rb +1 -6
- data/lib/bcrypt/engine.rb +7 -5
- data/lib/bcrypt/password.rb +3 -3
- data/spec/bcrypt/engine_spec.rb +77 -2
- data/spec/bcrypt/password_spec.rb +2 -2
- metadata +31 -56
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: daebd0457608f18460625651148836dac8c525da398e08e75cb97244f6e19003
|
4
|
+
data.tar.gz: bc87d1670e61c2e420e610f3f32ae5159560b6d6171617a35cb78d9efc18a6f8
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: f18e30c92f9b3297e325c6c24f7466ad108f71d0fc1584d886b23d8cdb4408ef94a0c479cb1266e54f91f81ca9090dbd2109378724881a264fc6140c734e4fa7
|
7
|
+
data.tar.gz: 7ca77307a151d8ecedd50b9cba02ed3b3e34ff2a1c80ba05656f007f1eb161064cabdbf0267a6024819397c04c707ed7ab6e27f643b80879c14e1ed4c59479f0
|
data/.travis.yml
CHANGED
@@ -1,16 +1,23 @@
|
|
1
1
|
language: ruby
|
2
|
+
before_install:
|
3
|
+
- "echo 'gem: --no-rdoc --no-ri' > ~/.gemrc"
|
4
|
+
- gem update --system 2.7.8
|
5
|
+
- gem install bundler -v 1.17.3
|
2
6
|
rvm:
|
3
|
-
-
|
4
|
-
- 1
|
5
|
-
-
|
6
|
-
- 2.
|
7
|
-
- 2.
|
8
|
-
- 2.
|
9
|
-
- 2.
|
7
|
+
- 2.0
|
8
|
+
- 2.1
|
9
|
+
- 2.2
|
10
|
+
- 2.3
|
11
|
+
- 2.4
|
12
|
+
- 2.5
|
13
|
+
- 2.6
|
10
14
|
- ruby-head
|
11
|
-
- jruby-18mode
|
12
|
-
- jruby-19mode
|
13
15
|
- jruby-head
|
14
|
-
- rbx-
|
15
|
-
|
16
|
+
- rbx-3
|
17
|
+
matrix:
|
18
|
+
allow_failures:
|
19
|
+
- rvm: ruby-head
|
20
|
+
- rvm: jruby-head
|
21
|
+
- rvm: rbx-3
|
22
|
+
fast_finish: true
|
16
23
|
script: bundle exec rake
|
data/CHANGELOG
CHANGED
@@ -1,84 +1,101 @@
|
|
1
|
-
1.
|
2
|
-
|
1
|
+
3.1.15 July 21 2020
|
2
|
+
- Remove GVL optimization. Apparently it breaks things [GH #230]
|
3
3
|
|
4
|
-
|
5
|
-
|
6
|
-
- Added BCrypt::Password#is_password?.
|
7
|
-
- Refactored out BCrypt::Internals into more useful BCrypt::Engine.
|
8
|
-
- Added validation of secrets -- nil is not healthy.
|
4
|
+
3.1.14 July 21 2020
|
5
|
+
- Start calibration from the minimum cost supported by the algorithm [GH #206 by @sergey-alekseev]
|
9
6
|
|
10
|
-
|
11
|
-
|
12
|
-
|
7
|
+
3.1.13 May 31 2019
|
8
|
+
- No longer include compiled binaries for Windows. See GH #173.
|
9
|
+
- Update C and Java implementations to latest versions [GH #182 by @fonica]
|
10
|
+
- Bump default cost to 12 [GH #181 by @bdewater]
|
11
|
+
- Remove explicit support for Rubies 1.8 and 1.9
|
12
|
+
- Define SKIP_GNU token when building extension (Fixes FreeBSD >= 12) [GH #189 by @adam12]
|
13
13
|
|
14
|
-
|
15
|
-
|
16
|
-
|
14
|
+
3.1.12 May 16 2018
|
15
|
+
- Add support for Ruby 2.3, 2.4, and 2.5 in compiled Windows binaries
|
16
|
+
- Fix compatibility with libxcrypt [GH #164 by @besser82]
|
17
17
|
|
18
|
-
|
19
|
-
|
20
|
-
- Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
|
21
|
-
sorting issues. [Lee Pope]
|
18
|
+
3.1.11 Mar 06 2016
|
19
|
+
- Add support for Ruby 2.2 in compiled Windows binaries
|
22
20
|
|
23
|
-
|
24
|
-
-
|
25
|
-
- Fixed segfaults on some different types of empty strings. [Mike Pomraning]
|
21
|
+
3.1.10 Jan 28 2015
|
22
|
+
- Fix issue with dumping a BCrypt::Password instance to YAML in Ruby 2.2 [GH #107 by @mattwildig]
|
26
23
|
|
27
|
-
|
28
|
-
-
|
24
|
+
3.1.9 Oct 23 2014
|
25
|
+
- Rebuild corrupt binaries
|
29
26
|
|
30
|
-
|
31
|
-
-
|
32
|
-
- Ruby 1.9 compatibility fixes. [Hongli Lai]
|
33
|
-
- JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
|
34
|
-
- Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
|
27
|
+
3.1.8 Oct 23 2014
|
28
|
+
- Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
|
35
29
|
|
36
|
-
|
37
|
-
-
|
30
|
+
3.1.7 Feb 24 2014
|
31
|
+
- Rebuild corrupt Java binary version of gem [GH #90]
|
32
|
+
- The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
|
38
33
|
|
39
|
-
|
40
|
-
-
|
34
|
+
3.1.6 Feb 21 2014
|
35
|
+
- Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
|
36
|
+
bugs. It felt wrong to have that at a higher version than the real gem, so
|
37
|
+
the real gem is getting bumped to 3.1.6.
|
41
38
|
|
42
|
-
3.
|
43
|
-
-
|
44
|
-
-
|
39
|
+
3.1.3 Feb 21 2014
|
40
|
+
- Add support for Ruby 2.1 in compiled Windows binaries
|
41
|
+
- Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
|
45
42
|
|
46
|
-
3.
|
47
|
-
-
|
43
|
+
3.1.2 Aug 26 2013
|
44
|
+
- Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
|
45
|
+
- Add support for 64-bit Windows
|
46
|
+
|
47
|
+
3.1.1 Jul 10 2013
|
48
|
+
- Remove support for Ruby 1.8 in compiled win32 binaries
|
48
49
|
|
49
50
|
3.1.0 May 07 2013
|
50
51
|
- Add BCrypt::Password.valid_hash?(str) to check if a string is a valid bcrypt password hash
|
51
52
|
- BCrypt::Password cost should be set to DEFAULT_COST if nil
|
52
53
|
- Add BCrypt::Engine.cost attribute for getting/setting a default cost externally
|
53
54
|
|
54
|
-
3.
|
55
|
-
-
|
55
|
+
3.0.1 Sep 12 2011
|
56
|
+
- create raises an exception if the cost is higher than 31. GH #27
|
56
57
|
|
57
|
-
3.
|
58
|
-
-
|
59
|
-
-
|
58
|
+
3.0.0 Aug 24 2011
|
59
|
+
- Bcrypt C implementation replaced with a public domain implementation.
|
60
|
+
- License changed to MIT
|
60
61
|
|
61
|
-
|
62
|
-
-
|
63
|
-
- Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
|
62
|
+
2.1.2 Sep 16 2009
|
63
|
+
- Fixed support for Solaris, OpenSolaris.
|
64
64
|
|
65
|
-
|
66
|
-
-
|
67
|
-
bugs. It felt wrong to have that at a higher version than the real gem, so
|
68
|
-
the real gem is getting bumped to 3.1.6.
|
65
|
+
2.1.1 Aug 14 2009
|
66
|
+
- JVM 1.4/1.5 compatibility [Hongli Lai]
|
69
67
|
|
70
|
-
|
71
|
-
-
|
72
|
-
-
|
68
|
+
2.1.0 Aug 12 2009
|
69
|
+
- Improved code coverage, unit tests, and build chain. [Hongli Lai]
|
70
|
+
- Ruby 1.9 compatibility fixes. [Hongli Lai]
|
71
|
+
- JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
|
72
|
+
- Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
|
73
73
|
|
74
|
-
|
75
|
-
-
|
74
|
+
2.0.5 Mar 11 2009
|
75
|
+
- Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
|
76
76
|
|
77
|
-
|
78
|
-
-
|
77
|
+
2.0.4 Mar 09 2009
|
78
|
+
- Added Ruby 1.9 compatibility. [Genki Takiuchi]
|
79
|
+
- Fixed segfaults on some different types of empty strings. [Mike Pomraning]
|
79
80
|
|
80
|
-
|
81
|
-
|
81
|
+
2.0.3 May 07 2008
|
82
|
+
- Made exception classes descend from StandardError, not Exception [Dan42]
|
83
|
+
- Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
|
84
|
+
sorting issues. [Lee Pope]
|
82
85
|
|
83
|
-
|
84
|
-
|
86
|
+
2.0.2 Jun 06 2007
|
87
|
+
- Fixed example code in the README [Winson]
|
88
|
+
- Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
|
89
|
+
|
90
|
+
2.0.1 Mar 09 2007
|
91
|
+
- Fixed load path issues
|
92
|
+
- Fixed crashes when hashing weird values (e.g., false, etc.)
|
93
|
+
|
94
|
+
2.0.0 Mar 07 2007
|
95
|
+
- Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
|
96
|
+
- Added BCrypt::Password#is_password?.
|
97
|
+
- Refactored out BCrypt::Internals into more useful BCrypt::Engine.
|
98
|
+
- Added validation of secrets -- nil is not healthy.
|
99
|
+
|
100
|
+
1.0.0 Feb 27 2007
|
101
|
+
- Initial release.
|
data/Gemfile.lock
CHANGED
@@ -1,44 +1,37 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
bcrypt (3.1.
|
4
|
+
bcrypt (3.1.15)
|
5
5
|
|
6
6
|
GEM
|
7
7
|
remote: https://rubygems.org/
|
8
8
|
specs:
|
9
|
-
diff-lcs (1.
|
10
|
-
|
11
|
-
|
12
|
-
rake (10.4.2)
|
13
|
-
rake-compiler (0.9.5)
|
9
|
+
diff-lcs (1.4.4)
|
10
|
+
rake (13.0.1)
|
11
|
+
rake-compiler (0.9.9)
|
14
12
|
rake
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
rspec-
|
19
|
-
|
20
|
-
rspec-
|
21
|
-
rspec-
|
22
|
-
rspec-support (~> 3.3.0)
|
23
|
-
rspec-expectations (3.3.1)
|
13
|
+
rspec (3.9.0)
|
14
|
+
rspec-core (~> 3.9.0)
|
15
|
+
rspec-expectations (~> 3.9.0)
|
16
|
+
rspec-mocks (~> 3.9.0)
|
17
|
+
rspec-core (3.9.2)
|
18
|
+
rspec-support (~> 3.9.3)
|
19
|
+
rspec-expectations (3.9.2)
|
24
20
|
diff-lcs (>= 1.2.0, < 2.0)
|
25
|
-
rspec-support (~> 3.
|
26
|
-
rspec-mocks (3.
|
21
|
+
rspec-support (~> 3.9.0)
|
22
|
+
rspec-mocks (3.9.1)
|
27
23
|
diff-lcs (>= 1.2.0, < 2.0)
|
28
|
-
rspec-support (~> 3.
|
29
|
-
rspec-support (3.3
|
24
|
+
rspec-support (~> 3.9.0)
|
25
|
+
rspec-support (3.9.3)
|
30
26
|
|
31
27
|
PLATFORMS
|
32
28
|
java
|
33
29
|
ruby
|
34
|
-
x64-mingw32
|
35
|
-
x86-mingw32
|
36
30
|
|
37
31
|
DEPENDENCIES
|
38
32
|
bcrypt!
|
39
33
|
rake-compiler (~> 0.9.2)
|
40
|
-
rdoc (~> 3.12)
|
41
34
|
rspec (>= 3)
|
42
35
|
|
43
36
|
BUNDLED WITH
|
44
|
-
|
37
|
+
2.2.0.dev
|
data/README.md
CHANGED
@@ -2,9 +2,11 @@
|
|
2
2
|
|
3
3
|
An easy way to keep your users' passwords secure.
|
4
4
|
|
5
|
-
*
|
5
|
+
* https://github.com/codahale/bcrypt-ruby/tree/master
|
6
|
+
|
7
|
+
[![Travis Build Status](https://travis-ci.org/codahale/bcrypt-ruby.svg?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
|
8
|
+
[![AppVeyor Build Status](https://ci.appveyor.com/api/projects/status/6fplerx9lnaf0hyo?svg=true)](https://ci.appveyor.com/project/TJSchuck35975/bcrypt-ruby)
|
6
9
|
|
7
|
-
[![Build Status](https://travis-ci.org/codahale/bcrypt-ruby.png?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
|
8
10
|
|
9
11
|
## Why you should use `bcrypt()`
|
10
12
|
|
@@ -18,7 +20,7 @@ security experts is not a professional response to risk.
|
|
18
20
|
`bcrypt()` allows you to easily harden your application against these kinds of attacks.
|
19
21
|
|
20
22
|
*Note*: JRuby versions of the bcrypt gem `<= 2.1.3` had a [security
|
21
|
-
vulnerability](
|
23
|
+
vulnerability](https://www.mindrot.org/files/jBCrypt/internat.adv) that
|
22
24
|
was fixed in `>= 2.1.4`. If you used a vulnerable version to hash
|
23
25
|
passwords with international characters in them, you will need to
|
24
26
|
re-hash those passwords. This vulnerability only affected the JRuby gem.
|
@@ -27,82 +29,71 @@ re-hash those passwords. This vulnerability only affected the JRuby gem.
|
|
27
29
|
|
28
30
|
gem install bcrypt
|
29
31
|
|
30
|
-
The bcrypt gem is available on the following
|
32
|
+
The bcrypt gem is available on the following Ruby platforms:
|
31
33
|
|
32
34
|
* JRuby
|
33
|
-
* RubyInstaller
|
34
|
-
* Any
|
35
|
+
* RubyInstaller 2.0 – 2.5 builds on Windows with the DevKit
|
36
|
+
* Any 2.0 – 2.5 Ruby on a BSD/OS X/Linux system with a compiler
|
35
37
|
|
36
38
|
## How to use `bcrypt()` in your Rails application
|
37
39
|
|
38
40
|
*Note*: Rails versions >= 3 ship with `ActiveModel::SecurePassword` which uses bcrypt-ruby.
|
39
|
-
`has_secure_password` [docs](
|
41
|
+
`has_secure_password` [docs](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
|
40
42
|
implements a similar authentication strategy to the code below.
|
41
43
|
|
42
44
|
### The _User_ model
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
45
|
+
```ruby
|
46
|
+
require 'bcrypt'
|
47
|
+
|
48
|
+
class User < ActiveRecord::Base
|
49
|
+
# users.password_hash in the database is a :string
|
50
|
+
include BCrypt
|
51
|
+
|
52
|
+
def password
|
53
|
+
@password ||= Password.new(password_hash)
|
54
|
+
end
|
55
|
+
|
56
|
+
def password=(new_password)
|
57
|
+
@password = Password.create(new_password)
|
58
|
+
self.password_hash = @password
|
59
|
+
end
|
60
|
+
end
|
61
|
+
```
|
60
62
|
### Creating an account
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
63
|
+
```ruby
|
64
|
+
def create
|
65
|
+
@user = User.new(params[:user])
|
66
|
+
@user.password = params[:password]
|
67
|
+
@user.save!
|
68
|
+
end
|
69
|
+
```
|
68
70
|
### Authenticating a user
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
### If a user forgets their password?
|
80
|
-
|
81
|
-
# assign them a random one and mail it to them, asking them to change it
|
82
|
-
def forgot_password
|
83
|
-
@user = User.find_by_email(params[:email])
|
84
|
-
random_password = Array.new(10).map { (65 + rand(58)).chr }.join
|
85
|
-
@user.password = random_password
|
86
|
-
@user.save!
|
87
|
-
Mailer.create_and_deliver_password_change(@user, random_password)
|
88
|
-
end
|
89
|
-
|
71
|
+
```ruby
|
72
|
+
def login
|
73
|
+
@user = User.find_by_email(params[:email])
|
74
|
+
if @user.password == params[:password]
|
75
|
+
give_token
|
76
|
+
else
|
77
|
+
redirect_to home_url
|
78
|
+
end
|
79
|
+
end
|
80
|
+
```
|
90
81
|
## How to use bcrypt-ruby in general
|
82
|
+
```ruby
|
83
|
+
require 'bcrypt'
|
91
84
|
|
92
|
-
|
93
|
-
|
94
|
-
my_password = BCrypt::Password.create("my password")
|
95
|
-
#=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"
|
96
|
-
|
97
|
-
my_password.version #=> "2a"
|
98
|
-
my_password.cost #=> 10
|
99
|
-
my_password == "my password" #=> true
|
100
|
-
my_password == "not my password" #=> false
|
85
|
+
my_password = BCrypt::Password.create("my password")
|
86
|
+
#=> "$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey"
|
101
87
|
|
102
|
-
|
103
|
-
|
104
|
-
|
88
|
+
my_password.version #=> "2a"
|
89
|
+
my_password.cost #=> 12
|
90
|
+
my_password == "my password" #=> true
|
91
|
+
my_password == "not my password" #=> false
|
105
92
|
|
93
|
+
my_password = BCrypt::Password.new("$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey")
|
94
|
+
my_password == "my password" #=> true
|
95
|
+
my_password == "not my password" #=> false
|
96
|
+
```
|
106
97
|
Check the rdocs for more details -- BCrypt, BCrypt::Password.
|
107
98
|
|
108
99
|
## How `bcrypt()` works
|
@@ -166,20 +157,20 @@ If an attacker was using Ruby to check each password, they could check ~140,000
|
|
166
157
|
In addition, `bcrypt()` allows you to increase the amount of work required to hash a password as computers get faster. Old
|
167
158
|
passwords will still work fine, but new passwords can keep up with the times.
|
168
159
|
|
169
|
-
The default cost factor used by bcrypt-ruby is
|
160
|
+
The default cost factor used by bcrypt-ruby is 12, which is fine for session-based authentication. If you are using a
|
170
161
|
stateless authentication architecture (e.g., HTTP Basic Auth), you will want to lower the cost factor to reduce your
|
171
162
|
server load and keep your request times down. This will lower the security provided you, but there are few alternatives.
|
172
163
|
|
173
164
|
To change the default cost factor used by bcrypt-ruby, use `BCrypt::Engine.cost = new_value`:
|
174
|
-
|
175
|
-
|
176
|
-
|
177
|
-
|
178
|
-
|
179
|
-
|
180
|
-
|
181
|
-
|
182
|
-
|
165
|
+
```ruby
|
166
|
+
BCrypt::Password.create('secret').cost
|
167
|
+
#=> 12, the default provided by bcrypt-ruby
|
168
|
+
|
169
|
+
# set a new default cost
|
170
|
+
BCrypt::Engine.cost = 8
|
171
|
+
BCrypt::Password.create('secret').cost
|
172
|
+
#=> 8
|
173
|
+
```
|
183
174
|
The default cost can be overridden as needed by passing an options hash with a different cost:
|
184
175
|
|
185
176
|
BCrypt::Password.create('secret', :cost => 6).cost #=> 6
|
@@ -191,13 +182,13 @@ system available.
|
|
191
182
|
|
192
183
|
For a more technical explanation of the algorithm and its design criteria, please read Niels Provos and David Mazières'
|
193
184
|
Usenix99 paper:
|
194
|
-
|
185
|
+
https://www.usenix.org/events/usenix99/provos.html
|
195
186
|
|
196
187
|
If you'd like more down-to-earth advice regarding cryptography, I suggest reading <i>Practical Cryptography</i> by Niels
|
197
188
|
Ferguson and Bruce Schneier:
|
198
|
-
|
189
|
+
https://www.schneier.com/book-practical.html
|
199
190
|
|
200
191
|
# Etc
|
201
192
|
|
202
193
|
* Author :: Coda Hale <coda.hale@gmail.com>
|
203
|
-
* Website ::
|
194
|
+
* Website :: https://codahale.com
|