bcrypt 3.1.11-java → 3.1.15-java

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: daebd0457608f18460625651148836dac8c525da398e08e75cb97244f6e19003
+  data.tar.gz: bc87d1670e61c2e420e610f3f32ae5159560b6d6171617a35cb78d9efc18a6f8
+SHA512:
+  metadata.gz: f18e30c92f9b3297e325c6c24f7466ad108f71d0fc1584d886b23d8cdb4408ef94a0c479cb1266e54f91f81ca9090dbd2109378724881a264fc6140c734e4fa7
+  data.tar.gz: 7ca77307a151d8ecedd50b9cba02ed3b3e34ff2a1c80ba05656f007f1eb161064cabdbf0267a6024819397c04c707ed7ab6e27f643b80879c14e1ed4c59479f0

data/.travis.yml

@@ -1,16 +1,23 @@
 language: ruby
+before_install:
+  - "echo 'gem: --no-rdoc --no-ri' > ~/.gemrc"
+  - gem update --system 2.7.8
+  - gem install bundler -v 1.17.3
 rvm:
-  - 1.8.7
-  - 1.9.2
-  - 1.9.3
-  - 2.0.0
-  - 2.1.0
-  - 2.2.0
-  - 2.3.0
+  - 2.0
+  - 2.1
+  - 2.2
+  - 2.3
+  - 2.4
+  - 2.5
+  - 2.6
   - ruby-head
-  - jruby-18mode
-  - jruby-19mode
   - jruby-head
-  - rbx-2
-  - ree
+  - rbx-3
+matrix:
+  allow_failures:
+    - rvm: ruby-head
+    - rvm: jruby-head
+    - rvm: rbx-3
+  fast_finish: true
 script: bundle exec rake

data/CHANGELOG

@@ -1,84 +1,101 @@
-1.0.0  Feb 27 2007
- - Initial release.
+3.1.15 July 21 2020
+  - Remove GVL optimization.  Apparently it breaks things [GH #230]
 
-2.0.0  Mar 07 2007
- - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
- - Added BCrypt::Password#is_password?.
- - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
- - Added validation of secrets -- nil is not healthy.
+3.1.14 July 21 2020
+  - Start calibration from the minimum cost supported by the algorithm [GH #206 by @sergey-alekseev]
 
-2.0.1  Mar 09 2007
- - Fixed load path issues
- - Fixed crashes when hashing weird values (e.g., false, etc.)
+3.1.13 May 31 2019
+  - No longer include compiled binaries for Windows. See GH #173.
+  - Update C and Java implementations to latest versions [GH #182 by @fonica]
+  - Bump default cost to 12 [GH #181 by @bdewater]
+  - Remove explicit support for Rubies 1.8 and 1.9
+  - Define SKIP_GNU token when building extension (Fixes FreeBSD >= 12) [GH #189 by @adam12]
 
-2.0.2  Jun 06 2007
- - Fixed example code in the README [Winson]
- - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
+3.1.12 May 16 2018
+  - Add support for Ruby 2.3, 2.4, and 2.5 in compiled Windows binaries
+  - Fix compatibility with libxcrypt [GH #164 by @besser82]
 
-2.0.3  May 07 2008
- - Made exception classes descend from StandardError, not Exception [Dan42]
- - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
-   sorting issues. [Lee Pope]
+3.1.11 Mar 06 2016
+  - Add support for Ruby 2.2 in compiled Windows binaries
 
-2.0.4  Mar 09 2009
-  - Added Ruby 1.9 compatibility. [Genki Takiuchi]
-  - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
+3.1.10 Jan 28 2015
+  - Fix issue with dumping a BCrypt::Password instance to YAML in Ruby 2.2 [GH #107 by @mattwildig]
 
-2.0.5  Mar 11 2009
-  - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
+3.1.9  Oct 23 2014
+  - Rebuild corrupt binaries
 
-2.1.0  Aug 12 2009
-  - Improved code coverage, unit tests, and build chain. [Hongli Lai]
-  - Ruby 1.9 compatibility fixes. [Hongli Lai]
-  - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
-  - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
+3.1.8  Oct 23 2014
+  - Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
 
-2.1.1  Aug 14 2009
-  - JVM 1.4/1.5 compatibility [Hongli Lai]
+3.1.7  Feb 24 2014
+  - Rebuild corrupt Java binary version of gem [GH #90]
+  - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
 
-2.1.2  Sep 16 2009
-  - Fixed support for Solaris, OpenSolaris.
+3.1.6  Feb 21 2014
+  - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
+    bugs. It felt wrong to have that at a higher version than the real gem, so
+    the real gem is getting bumped to 3.1.6.
 
-3.0.0  Aug 24 2011
-  - Bcrypt C implementation replaced with a public domain implementation.
-  - License changed to MIT
+3.1.3  Feb 21 2014
+  - Add support for Ruby 2.1 in compiled Windows binaries
+  - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
 
-3.0.1  Sep 12 2011
-  - create raises an exception if the cost is higher than 31. GH #27
+3.1.2  Aug 26 2013
+  - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
+  - Add support for 64-bit Windows
+
+3.1.1  Jul 10 2013
+  - Remove support for Ruby 1.8 in compiled win32 binaries
 
 3.1.0  May 07 2013
   - Add BCrypt::Password.valid_hash?(str) to check if a string is a valid bcrypt password hash
   - BCrypt::Password cost should be set to DEFAULT_COST if nil
   - Add BCrypt::Engine.cost attribute for getting/setting a default cost externally
 
-3.1.1  Jul 10 2013
-  - Remove support for Ruby 1.8 in compiled win32 binaries
+3.0.1  Sep 12 2011
+  - create raises an exception if the cost is higher than 31. GH #27
 
-3.1.2  Aug 26 2013
-  - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
-  - Add support for 64-bit Windows
+3.0.0  Aug 24 2011
+  - Bcrypt C implementation replaced with a public domain implementation.
+  - License changed to MIT
 
-3.1.3  Feb 21 2014
-  - Add support for Ruby 2.1 in compiled Windows binaries
-  - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
+2.1.2  Sep 16 2009
+  - Fixed support for Solaris, OpenSolaris.
 
-3.1.6  Feb 21 2014
-  - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
-    bugs. It felt wrong to have that at a higher version than the real gem, so
-    the real gem is getting bumped to 3.1.6.
+2.1.1  Aug 14 2009
+  - JVM 1.4/1.5 compatibility [Hongli Lai]
 
-3.1.7  Feb 24 2014
-  - Rebuild corrupt Java binary version of gem [GH #90]
-  - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
+2.1.0  Aug 12 2009
+  - Improved code coverage, unit tests, and build chain. [Hongli Lai]
+  - Ruby 1.9 compatibility fixes. [Hongli Lai]
+  - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
+  - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
 
-3.1.8  Oct 23 2014
-  - Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
+2.0.5  Mar 11 2009
+  - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
 
-3.1.9  Oct 23 2014
-  - Rebuild corrupt binaries
+2.0.4  Mar 09 2009
+  - Added Ruby 1.9 compatibility. [Genki Takiuchi]
+  - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
 
-3.1.10 Jan 28 2015
-  - Fix issue with dumping a BCrypt::Password instance to YAML in Ruby 2.2 [GH #107 by @mattwildig]
+2.0.3  May 07 2008
+ - Made exception classes descend from StandardError, not Exception [Dan42]
+ - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
+   sorting issues. [Lee Pope]
 
-3.1.11 Mar 06 2016
-  - Add support for Ruby 2.2 in compiled Windows binaries
+2.0.2  Jun 06 2007
+ - Fixed example code in the README [Winson]
+ - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
+
+2.0.1  Mar 09 2007
+ - Fixed load path issues
+ - Fixed crashes when hashing weird values (e.g., false, etc.)
+
+2.0.0  Mar 07 2007
+ - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
+ - Added BCrypt::Password#is_password?.
+ - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
+ - Added validation of secrets -- nil is not healthy.
+
+1.0.0  Feb 27 2007
+ - Initial release.

data/Gemfile.lock

@@ -1,44 +1,37 @@
 PATH
   remote: .
   specs:
-    bcrypt (3.1.11)
+    bcrypt (3.1.15)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    diff-lcs (1.2.5)
-    json (1.8.3)
-    json (1.8.3-java)
-    rake (10.4.2)
-    rake-compiler (0.9.5)
+    diff-lcs (1.4.4)
+    rake (13.0.1)
+    rake-compiler (0.9.9)
       rake
-    rdoc (3.12.2)
-      json (~> 1.4)
-    rspec (3.3.0)
-      rspec-core (~> 3.3.0)
-      rspec-expectations (~> 3.3.0)
-      rspec-mocks (~> 3.3.0)
-    rspec-core (3.3.2)
-      rspec-support (~> 3.3.0)
-    rspec-expectations (3.3.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.3.0)
-    rspec-mocks (3.3.2)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.3.0)
-    rspec-support (3.3.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
 
 PLATFORMS
   java
   ruby
-  x64-mingw32
-  x86-mingw32
 
 DEPENDENCIES
   bcrypt!
   rake-compiler (~> 0.9.2)
-  rdoc (~> 3.12)
   rspec (>= 3)
 
 BUNDLED WITH
-   1.11.2
+   2.2.0.dev

data/README.md

@@ -2,9 +2,11 @@
 
 An easy way to keep your users' passwords secure.
 
-* http://github.com/codahale/bcrypt-ruby/tree/master
+* https://github.com/codahale/bcrypt-ruby/tree/master
+
+[![Travis Build Status](https://travis-ci.org/codahale/bcrypt-ruby.svg?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
+[![AppVeyor Build Status](https://ci.appveyor.com/api/projects/status/6fplerx9lnaf0hyo?svg=true)](https://ci.appveyor.com/project/TJSchuck35975/bcrypt-ruby)
 
-[![Build Status](https://travis-ci.org/codahale/bcrypt-ruby.png?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
 
 ## Why you should use `bcrypt()`
 
@@ -18,7 +20,7 @@ security experts is not a professional response to risk.
 `bcrypt()` allows you to easily harden your application against these kinds of attacks.
 
 *Note*: JRuby versions of the bcrypt gem `<= 2.1.3` had a [security
-vulnerability](http://www.mindrot.org/files/jBCrypt/internat.adv) that
+vulnerability](https://www.mindrot.org/files/jBCrypt/internat.adv) that
 was fixed in `>= 2.1.4`. If you used a vulnerable version to hash
 passwords with international characters in them, you will need to
 re-hash those passwords. This vulnerability only affected the JRuby gem.
@@ -27,82 +29,71 @@ re-hash those passwords. This vulnerability only affected the JRuby gem.
 
     gem install bcrypt
 
-The bcrypt gem is available on the following ruby platforms:
+The bcrypt gem is available on the following Ruby platforms:
 
 * JRuby
-* RubyInstaller 1.8, 1.9, 2.0, 2.1, and 2.2 builds on win32
-* Any 1.8, 1.9, 2.0, 2.1, 2.2, or 2.3 Ruby on a BSD/OS X/Linux system with a compiler
+* RubyInstaller 2.0 – 2.5 builds on Windows with the DevKit
+* Any 2.0 – 2.5 Ruby on a BSD/OS X/Linux system with a compiler
 
 ## How to use `bcrypt()` in your Rails application
 
 *Note*: Rails versions >= 3 ship with `ActiveModel::SecurePassword` which uses bcrypt-ruby.
-`has_secure_password` [docs](http://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
+`has_secure_password` [docs](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
 implements a similar authentication strategy to the code below.
 
 ### The _User_ model
-
-    require 'bcrypt'
-
-    class User < ActiveRecord::Base
-      # users.password_hash in the database is a :string
-      include BCrypt
-
-      def password
-        @password ||= Password.new(password_hash)
-      end
-
-      def password=(new_password)
-        @password = Password.create(new_password)
-        self.password_hash = @password
-      end
-    end
-
+```ruby
+require 'bcrypt'
+
+class User < ActiveRecord::Base
+  # users.password_hash in the database is a :string
+  include BCrypt
+
+  def password
+    @password ||= Password.new(password_hash)
+  end
+
+  def password=(new_password)
+    @password = Password.create(new_password)
+    self.password_hash = @password
+  end
+end
+```
 ### Creating an account
-
-    def create
-      @user = User.new(params[:user])
-      @user.password = params[:password]
-      @user.save!
-    end
-
+```ruby
+def create
+  @user = User.new(params[:user])
+  @user.password = params[:password]
+  @user.save!
+end
+```
 ### Authenticating a user
-
-    def login
-      @user = User.find_by_email(params[:email])
-      if @user.password == params[:password]
-        give_token
-      else
-        redirect_to home_url
-      end
-    end
-
-### If a user forgets their password?
-
-    # assign them a random one and mail it to them, asking them to change it
-    def forgot_password
-      @user = User.find_by_email(params[:email])
-      random_password = Array.new(10).map { (65 + rand(58)).chr }.join
-      @user.password = random_password
-      @user.save!
-      Mailer.create_and_deliver_password_change(@user, random_password)
-    end
-
+```ruby
+def login
+  @user = User.find_by_email(params[:email])
+  if @user.password == params[:password]
+    give_token
+  else
+    redirect_to home_url
+  end
+end
+```
 ## How to use bcrypt-ruby in general
+```ruby
+require 'bcrypt'
 
-    require 'bcrypt'
-
-    my_password = BCrypt::Password.create("my password")
-      #=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"
-
-    my_password.version              #=> "2a"
-    my_password.cost                 #=> 10
-    my_password == "my password"     #=> true
-    my_password == "not my password" #=> false
+my_password = BCrypt::Password.create("my password")
+#=> "$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey"
 
-    my_password = BCrypt::Password.new("$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa")
-    my_password == "my password"     #=> true
-    my_password == "not my password" #=> false
+my_password.version              #=> "2a"
+my_password.cost                 #=> 12
+my_password == "my password"     #=> true
+my_password == "not my password" #=> false
 
+my_password = BCrypt::Password.new("$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey")
+my_password == "my password"     #=> true
+my_password == "not my password" #=> false
+```
 Check the rdocs for more details -- BCrypt, BCrypt::Password.
 
 ## How `bcrypt()` works
@@ -166,20 +157,20 @@ If an attacker was using Ruby to check each password, they could check ~140,000
 In addition, `bcrypt()` allows you to increase the amount of work required to hash a password as computers get faster. Old
 passwords will still work fine, but new passwords can keep up with the times.
 
-The default cost factor used by bcrypt-ruby is 10, which is fine for session-based authentication. If you are using a
+The default cost factor used by bcrypt-ruby is 12, which is fine for session-based authentication. If you are using a
 stateless authentication architecture (e.g., HTTP Basic Auth), you will want to lower the cost factor to reduce your
 server load and keep your request times down. This will lower the security provided you, but there are few alternatives.
 
 To change the default cost factor used by bcrypt-ruby, use `BCrypt::Engine.cost = new_value`:
-
-    BCrypt::Password.create('secret').cost
-      #=> 10, the default provided by bcrypt-ruby
-
-    # set a new default cost
-    BCrypt::Engine.cost = 8
-    BCrypt::Password.create('secret').cost
-      #=> 8
-
+```ruby
+BCrypt::Password.create('secret').cost
+  #=> 12, the default provided by bcrypt-ruby
+
+# set a new default cost
+BCrypt::Engine.cost = 8
+BCrypt::Password.create('secret').cost
+  #=> 8
+```
 The default cost can be overridden as needed by passing an options hash with a different cost:
 
     BCrypt::Password.create('secret', :cost => 6).cost  #=> 6
@@ -191,13 +182,13 @@ system available.
 
 For a more technical explanation of the algorithm and its design criteria, please read Niels Provos and David Mazières'
 Usenix99 paper:
-http://www.usenix.org/events/usenix99/provos.html
+https://www.usenix.org/events/usenix99/provos.html
 
 If you'd like more down-to-earth advice regarding cryptography, I suggest reading <i>Practical Cryptography</i> by Niels
 Ferguson and Bruce Schneier:
-http://www.schneier.com/book-practical.html
+https://www.schneier.com/book-practical.html
 
 # Etc
 
 * Author  :: Coda Hale <coda.hale@gmail.com>
-* Website :: http://blog.codahale.com
+* Website :: https://codahale.com