bcrypt 3.1.12 → 3.1.18

checksums.yaml

@@ -1,17 +1,7 @@
 ---
-!binary "U0hBMjU2":
-  metadata.gz: !binary |-
-    YjQwMDJlZTYyN2EzOTJhMzg3Y2YyMDgwYjZjYjdiOWRkNmNiZWRkYmMxNGVh
-    MzkyZDczMmIzOTNjYWMwNDI3ZQ==
-  data.tar.gz: !binary |-
-    MDdkNzlhOGZmYjNlNWMxODE3OTBhMmFiYWU3ZDFiNDA2N2M4YThhOWUxZTcy
-    YmEwZDE5ODg4ZWJhMjg5NWEzNg==
+SHA256:
+  metadata.gz: ba8b7b14c18d5ad7f8dcd58b2e719925695a8af445b232d50fc21695b3cd4200
+  data.tar.gz: a3a566bb869dcc9001dbeae8041595152444596253d152c9a374ce9c1503d817
 SHA512:
-  metadata.gz: !binary |-
-    YWFlMDYxYzFjM2NlNjY5YzhkZmVmYWIxNGI5NzFkNDgzZTdkYmViNmU4Mjhm
-    NmEzYjhiMjRlODA1ZDc2ZTRjNDQ3ODg4NzM1ZWI0YzIwNjU1YTZkZjE4MmQ3
-    Nzc1Y2IzZGM3YmZhOWQxYjI4OTBkY2RmMTE3MWZhZDhkYTQ4ZDA=
-  data.tar.gz: !binary |-
-    Njc0ODJhZWE3YTMwNTNhYmRlYjllYWZkYzM1YTg5OTU5NTAwNWYyMzU4ZWM2
-    ZmRlZmYyZGJlYWQ3NzcxNjNkOTNkODI5YTY4MTM1ZDllZGVmOTJmODNiNmRl
-    ZWRjZjRjOGRmM2FiNTM5M2I3MDBiYWYwN2NkNGZkNjZkYzI4ZjE=
+  metadata.gz: 9e21ae566338f46280af6576c42b54d6dfe9e75619c35a72b87f6401bef689be8526b3385a556f332c28d9a939ca7cd4f2104ef1483f4cc24d144ba837b69af4
+  data.tar.gz: 1c2e714911083b8aa457d9d16c5dd084acd6610e67a4f2c489ec137b1c503f2753d4a2c98e06446bc7771caec176b7b24a207f7395541e32c31268c8d8773551

data/.github/workflows/ruby.yml

@@ -0,0 +1,59 @@
+name: Test Suite
+
+# Run against all commits and pull requests.
+on: [ push, pull_request ]
+
+jobs:
+  test_matrix:
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu
+          - macos
+          - windows
+        ruby:
+          - 2.1
+          - 2.2
+          - 2.3
+          - 2.4
+          - 2.5
+          - 2.6
+          - 2.7
+          - '3.0'
+          - 3.1
+          - head
+          - jruby
+          - jruby-head
+          - truffleruby
+          - truffleruby-head
+          - mingw
+        exclude:
+          - { os: ubuntu,  ruby: mingw }
+          - { os: macos,   ruby: mingw }
+          - { os: windows, ruby: truffleruby }
+          - { os: windows, ruby: truffleruby-head }
+
+    runs-on: ${{ matrix.os }}-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+        env:
+          JAVA_OPTS: -Djdk.io.File.enableADS=true
+      - name: Run tests
+        run: bundle exec rake default
+        env:
+          JAVA_OPTS: -Djdk.io.File.enableADS=true
+
+  finish:
+    runs-on: ubuntu-latest
+    needs: [ test_matrix ]
+    steps:
+      - name: Wait for status checks
+        run: echo "All Green!"

data/.gitignore

@@ -7,3 +7,4 @@ tmp
 *.jar
 .DS_Store
 .rbenv-gemsets
+Gemfile.lock

data/CHANGELOG

@@ -1,88 +1,113 @@
-1.0.0  Feb 27 2007
- - Initial release.
+3.1.18 May 16 2022
+  - Unlock GVL when calculating hashes and salts [GH #260]
+  - Fix compilation warnings in `ext/mri/bcrypt_ext.c` [GH #261]
 
-2.0.0  Mar 07 2007
- - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
- - Added BCrypt::Password#is_password?.
- - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
- - Added validation of secrets -- nil is not healthy.
+3.1.17 Mar 14 2022
+- Fix regex in validators to use \A and \z instead of ^ and $ [GH #121]
+- Truncate secrets greater than 72 bytes in hash_secret [GH #255]
+- Assorted test and doc improvements
 
-2.0.1  Mar 09 2007
- - Fixed load path issues
- - Fixed crashes when hashing weird values (e.g., false, etc.)
+3.1.16 Sep 3 2020
+  - Fix compilation on FreeBSD. [GH #234]
 
-2.0.2  Jun 06 2007
- - Fixed example code in the README [Winson]
- - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
+3.1.15 July 21 2020
+  - Remove GVL optimization.  Apparently it breaks things [GH #230]
 
-2.0.3  May 07 2008
- - Made exception classes descend from StandardError, not Exception [Dan42]
- - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
-   sorting issues. [Lee Pope]
+3.1.14 July 21 2020
+  - Start calibration from the minimum cost supported by the algorithm [GH #206 by @sergey-alekseev]
 
-2.0.4  Mar 09 2009
-  - Added Ruby 1.9 compatibility. [Genki Takiuchi]
-  - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
+3.1.13 May 31 2019
+  - No longer include compiled binaries for Windows. See GH #173.
+  - Update C and Java implementations to latest versions [GH #182 by @fonica]
+  - Bump default cost to 12 [GH #181 by @bdewater]
+  - Remove explicit support for Rubies 1.8 and 1.9
+  - Define SKIP_GNU token when building extension (Fixes FreeBSD >= 12) [GH #189 by @adam12]
 
-2.0.5  Mar 11 2009
-  - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
+3.1.12 May 16 2018
+  - Add support for Ruby 2.3, 2.4, and 2.5 in compiled Windows binaries
+  - Fix compatibility with libxcrypt - Fixes hash errors in Fedora 28 and Ubuntu 20 [GH #164 by @besser82]
 
-2.1.0  Aug 12 2009
-  - Improved code coverage, unit tests, and build chain. [Hongli Lai]
-  - Ruby 1.9 compatibility fixes. [Hongli Lai]
-  - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
-  - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
+3.1.11 Mar 06 2016
+  - Add support for Ruby 2.2 in compiled Windows binaries
 
-2.1.1  Aug 14 2009
-  - JVM 1.4/1.5 compatibility [Hongli Lai]
+3.1.10 Jan 28 2015
+  - Fix issue with dumping a BCrypt::Password instance to YAML in Ruby 2.2 [GH #107 by @mattwildig]
 
-2.1.2  Sep 16 2009
-  - Fixed support for Solaris, OpenSolaris.
+3.1.9  Oct 23 2014
+  - Rebuild corrupt binaries
 
-3.0.0  Aug 24 2011
-  - Bcrypt C implementation replaced with a public domain implementation.
-  - License changed to MIT
+3.1.8  Oct 23 2014
+  - Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
 
-3.0.1  Sep 12 2011
-  - create raises an exception if the cost is higher than 31. GH #27
+3.1.7  Feb 24 2014
+  - Rebuild corrupt Java binary version of gem [GH #90]
+  - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
+
+3.1.6  Feb 21 2014
+  - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
+    bugs. It felt wrong to have that at a higher version than the real gem, so
+    the real gem is getting bumped to 3.1.6.
+
+3.1.3  Feb 21 2014
+  - Add support for Ruby 2.1 in compiled Windows binaries
+  - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
+
+3.1.2  Aug 26 2013
+  - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
+  - Add support for 64-bit Windows
+
+3.1.1  Jul 10 2013
+  - Remove support for Ruby 1.8 in compiled win32 binaries
 
 3.1.0  May 07 2013
   - Add BCrypt::Password.valid_hash?(str) to check if a string is a valid bcrypt password hash
   - BCrypt::Password cost should be set to DEFAULT_COST if nil
   - Add BCrypt::Engine.cost attribute for getting/setting a default cost externally
 
-3.1.1  Jul 10 2013
-  - Remove support for Ruby 1.8 in compiled win32 binaries
+3.0.1  Sep 12 2011
+  - create raises an exception if the cost is higher than 31. GH #27
 
-3.1.2  Aug 26 2013
-  - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
-  - Add support for 64-bit Windows
+3.0.0  Aug 24 2011
+  - Bcrypt C implementation replaced with a public domain implementation.
+  - License changed to MIT
 
-3.1.3  Feb 21 2014
-  - Add support for Ruby 2.1 in compiled Windows binaries
-  - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
+2.1.2  Sep 16 2009
+  - Fixed support for Solaris, OpenSolaris.
 
-3.1.6  Feb 21 2014
-  - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
-    bugs. It felt wrong to have that at a higher version than the real gem, so
-    the real gem is getting bumped to 3.1.6.
+2.1.1  Aug 14 2009
+  - JVM 1.4/1.5 compatibility [Hongli Lai]
 
-3.1.7  Feb 24 2014
-  - Rebuild corrupt Java binary version of gem [GH #90]
-  - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
+2.1.0  Aug 12 2009
+  - Improved code coverage, unit tests, and build chain. [Hongli Lai]
+  - Ruby 1.9 compatibility fixes. [Hongli Lai]
+  - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
+  - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
 
-3.1.8  Oct 23 2014
-  - Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
+2.0.5  Mar 11 2009
+  - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
 
-3.1.9  Oct 23 2014
-  - Rebuild corrupt binaries
+2.0.4  Mar 09 2009
+  - Added Ruby 1.9 compatibility. [Genki Takiuchi]
+  - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
 
-3.1.10 Jan 28 2015
-  - Fix issue with dumping a BCrypt::Password instance to YAML in Ruby 2.2 [GH #107 by @mattwildig]
+2.0.3  May 07 2008
+ - Made exception classes descend from StandardError, not Exception [Dan42]
+ - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
+   sorting issues. [Lee Pope]
 
-3.1.11 Mar 06 2016
-  - Add support for Ruby 2.2 in compiled Windows binaries
+2.0.2  Jun 06 2007
+ - Fixed example code in the README [Winson]
+ - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
 
-3.1.12 May 16 2018
-  - Add support for Ruby 2.3, 2.4, and 2.5 in compiled Windows binaries
-  - Fix compatibility with libxcrypt [GH #164 by @besser82]
+2.0.1  Mar 09 2007
+ - Fixed load path issues
+ - Fixed crashes when hashing weird values (e.g., false, etc.)
+
+2.0.0  Mar 07 2007
+ - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
+ - Added BCrypt::Password#is_password?.
+ - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
+ - Added validation of secrets -- nil is not healthy.
+
+1.0.0  Feb 27 2007
+ - Initial release.

data/README.md

@@ -2,9 +2,9 @@
 
 An easy way to keep your users' passwords secure.
 
-* http://github.com/codahale/bcrypt-ruby/tree/master
+* https://github.com/bcrypt-ruby/bcrypt-ruby/tree/master
 
-[![Build Status](https://travis-ci.org/codahale/bcrypt-ruby.png?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
+[![Github Actions Build Status](https://github.com/bcrypt-ruby/bcrypt-ruby/actions/workflows/ruby.yml/badge.svg?branch=master)](https://github.com/bcrypt-ruby/bcrypt-ruby/actions/workflows/ruby.yml)
 
 ## Why you should use `bcrypt()`
 
@@ -18,7 +18,7 @@ security experts is not a professional response to risk.
 `bcrypt()` allows you to easily harden your application against these kinds of attacks.
 
 *Note*: JRuby versions of the bcrypt gem `<= 2.1.3` had a [security
-vulnerability](http://www.mindrot.org/files/jBCrypt/internat.adv) that
+vulnerability](https://www.mindrot.org/files/jBCrypt/internat.adv) that
 was fixed in `>= 2.1.4`. If you used a vulnerable version to hash
 passwords with international characters in them, you will need to
 re-hash those passwords. This vulnerability only affected the JRuby gem.
@@ -27,16 +27,16 @@ re-hash those passwords. This vulnerability only affected the JRuby gem.
 
     gem install bcrypt
 
-The bcrypt gem is available on the following ruby platforms:
+The bcrypt gem is available on the following Ruby platforms:
 
 * JRuby
-* RubyInstaller 1.8, 1.9, 2.0, 2.1, 2.2, 2.3, 2.4, and 2.5 builds on Windows
-* Any 1.8, 1.9, 2.0, 2.1, 2.2, 2.3, 2.4, or 2.5 Ruby on a BSD/OS X/Linux system with a compiler
+* RubyInstaller 2.0 – 3.0 builds on Windows with the DevKit
+* Any 2.0 – 3.0 Ruby on a BSD/OS X/Linux system with a compiler
 
 ## How to use `bcrypt()` in your Rails application
 
 *Note*: Rails versions >= 3 ship with `ActiveModel::SecurePassword` which uses bcrypt-ruby.
-`has_secure_password` [docs](http://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
+`has_secure_password` [docs](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
 implements a similar authentication strategy to the code below.
 
 ### The _User_ model
@@ -81,14 +81,14 @@ end
 require 'bcrypt'
 
 my_password = BCrypt::Password.create("my password")
-#=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"
+#=> "$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey"
 
 my_password.version              #=> "2a"
-my_password.cost                 #=> 10
+my_password.cost                 #=> 12
 my_password == "my password"     #=> true
 my_password == "not my password" #=> false
 
-my_password = BCrypt::Password.new("$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa")
+my_password = BCrypt::Password.new("$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey")
 my_password == "my password"     #=> true
 my_password == "not my password" #=> false
 ```
@@ -155,14 +155,14 @@ If an attacker was using Ruby to check each password, they could check ~140,000
 In addition, `bcrypt()` allows you to increase the amount of work required to hash a password as computers get faster. Old
 passwords will still work fine, but new passwords can keep up with the times.
 
-The default cost factor used by bcrypt-ruby is 10, which is fine for session-based authentication. If you are using a
+The default cost factor used by bcrypt-ruby is 12, which is fine for session-based authentication. If you are using a
 stateless authentication architecture (e.g., HTTP Basic Auth), you will want to lower the cost factor to reduce your
 server load and keep your request times down. This will lower the security provided you, but there are few alternatives.
 
 To change the default cost factor used by bcrypt-ruby, use `BCrypt::Engine.cost = new_value`:
 ```ruby
 BCrypt::Password.create('secret').cost
-  #=> 10, the default provided by bcrypt-ruby
+  #=> 12, the default provided by bcrypt-ruby
 
 # set a new default cost
 BCrypt::Engine.cost = 8
@@ -180,13 +180,13 @@ system available.
 
 For a more technical explanation of the algorithm and its design criteria, please read Niels Provos and David Mazières'
 Usenix99 paper:
-http://www.usenix.org/events/usenix99/provos.html
+https://www.usenix.org/events/usenix99/provos.html
 
 If you'd like more down-to-earth advice regarding cryptography, I suggest reading <i>Practical Cryptography</i> by Niels
 Ferguson and Bruce Schneier:
-http://www.schneier.com/book-practical.html
+https://www.schneier.com/book-practical.html
 
 # Etc
 
 * Author  :: Coda Hale <coda.hale@gmail.com>
-* Website :: http://blog.codahale.com
+* Website :: https://codahale.com

data/Rakefile

@@ -8,14 +8,6 @@ require 'benchmark'
 
 CLEAN.include(
   "tmp",
-  "lib/1.8",
-  "lib/1.9",
-  "lib/2.0",
-  "lib/2.1",
-  "lib/2.2",
-  "lib/2.3",
-  "lib/2.4",
-  "lib/2.5",
   "lib/bcrypt_ext.jar",
   "lib/bcrypt_ext.so"
 )
@@ -58,29 +50,12 @@ end
 if RUBY_PLATFORM =~ /java/
   Rake::JavaExtensionTask.new('bcrypt_ext', GEMSPEC) do |ext|
     ext.ext_dir = 'ext/jruby'
+    ext.source_version = "1.7"
+    ext.target_version = "1.7"
   end
 else
   Rake::ExtensionTask.new("bcrypt_ext", GEMSPEC) do |ext|
     ext.ext_dir = 'ext/mri'
-    ext.cross_compile = true
-    ext.cross_platform = ['x86-mingw32', 'x64-mingw32']
-  end
-
-  ENV['RUBY_CC_VERSION'].to_s.split(':').each do |ruby_version|
-    platforms = {
-      "x86-mingw32" => "i686-w64-mingw32",
-      "x64-mingw32" => "x86_64-w64-mingw32"
-    }
-    platforms.each do |platform, prefix|
-      task "copy:bcrypt_ext:#{platform}:#{ruby_version}" do |t|
-        %w[lib tmp/#{platform}/stage/lib].each do |dir|
-          so_file = "#{dir}/#{ruby_version[/^\d+\.\d+/]}/bcrypt_ext.so"
-          if File.exists?(so_file)
-            sh "#{prefix}-strip -S #{so_file}"
-          end
-        end
-      end
-    end
   end
 end
 

data/bcrypt.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = 'bcrypt'
-  s.version = '3.1.12'
+  s.version = '3.1.18'
 
   s.summary = "OpenBSD's bcrypt() password hashing algorithm."
   s.description = <<-EOF
@@ -12,11 +12,9 @@ Gem::Specification.new do |s|
   s.files = `git ls-files`.split("\n")
   s.require_path = 'lib'
 
-  s.add_development_dependency 'rake-compiler', '~> 0.9.2'
+  s.add_development_dependency 'rake-compiler', '~> 1.2.0'
   s.add_development_dependency 'rspec', '>= 3'
-  s.add_development_dependency 'rdoc', '~> 3.12'
 
-  s.has_rdoc = true
   s.rdoc_options += ['--title', 'bcrypt-ruby', '--line-numbers', '--inline-source', '--main', 'README.md']
   s.extra_rdoc_files += ['README.md', 'COPYING', 'CHANGELOG', *Dir['lib/**/*.rb']]
 
@@ -24,6 +22,6 @@ Gem::Specification.new do |s|
 
   s.authors = ["Coda Hale"]
   s.email = "coda.hale@gmail.com"
-  s.homepage = "https://github.com/codahale/bcrypt-ruby"
+  s.homepage = "https://github.com/bcrypt-ruby/bcrypt-ruby"
   s.license = "MIT"
 end