bcrypt 3.1.12 → 3.1.18

data/ext/mri/x86.S

@@ -0,0 +1,203 @@
+/*
+ * Written by Solar Designer <solar at openwall.com> in 1998-2010.
+ * No copyright is claimed, and the software is hereby placed in the public
+ * domain.  In case this attempt to disclaim copyright and place the software
+ * in the public domain is deemed null and void, then the software is
+ * Copyright (c) 1998-2010 Solar Designer and it is hereby released to the
+ * general public under the following terms:
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * There's ABSOLUTELY NO WARRANTY, express or implied.
+ *
+ * See crypt_blowfish.c for more information.
+ */
+
+#ifdef __i386__
+
+#if defined(__OpenBSD__) && !defined(__ELF__)
+#define UNDERSCORES
+#define ALIGN_LOG
+#endif
+
+#if defined(__CYGWIN32__) || defined(__MINGW32__)
+#define UNDERSCORES
+#endif
+
+#ifdef __DJGPP__
+#define UNDERSCORES
+#define ALIGN_LOG
+#endif
+
+#ifdef UNDERSCORES
+#define _BF_body_r			__BF_body_r
+#endif
+
+#ifdef ALIGN_LOG
+#define DO_ALIGN(log)			.align (log)
+#elif defined(DUMBAS)
+#define DO_ALIGN(log)			.align 1 << log
+#else
+#define DO_ALIGN(log)			.align (1 << (log))
+#endif
+
+#define BF_FRAME			0x200
+#define ctx				%esp
+
+#define BF_ptr				(ctx)
+
+#define S(N, r)				N+BF_FRAME(ctx,r,4)
+#ifdef DUMBAS
+#define P(N)				0x1000+N+N+N+N+BF_FRAME(ctx)
+#else
+#define P(N)				0x1000+4*N+BF_FRAME(ctx)
+#endif
+
+/*
+ * This version of the assembly code is optimized primarily for the original
+ * Intel Pentium but is also careful to avoid partial register stalls on the
+ * Pentium Pro family of processors (tested up to Pentium III Coppermine).
+ *
+ * It is possible to do 15% faster on the Pentium Pro family and probably on
+ * many non-Intel x86 processors, but, unfortunately, that would make things
+ * twice slower for the original Pentium.
+ *
+ * An additional 2% speedup may be achieved with non-reentrant code.
+ */
+
+#define L				%esi
+#define R				%edi
+#define tmp1				%eax
+#define tmp1_lo				%al
+#define tmp2				%ecx
+#define tmp2_hi				%ch
+#define tmp3				%edx
+#define tmp3_lo				%dl
+#define tmp4				%ebx
+#define tmp4_hi				%bh
+#define tmp5				%ebp
+
+.text
+
+#define BF_ROUND(L, R, N) \
+	xorl L,tmp2; \
+	xorl tmp1,tmp1; \
+	movl tmp2,L; \
+	shrl $16,tmp2; \
+	movl L,tmp4; \
+	movb tmp2_hi,tmp1_lo; \
+	andl $0xFF,tmp2; \
+	movb tmp4_hi,tmp3_lo; \
+	andl $0xFF,tmp4; \
+	movl S(0,tmp1),tmp1; \
+	movl S(0x400,tmp2),tmp5; \
+	addl tmp5,tmp1; \
+	movl S(0x800,tmp3),tmp5; \
+	xorl tmp5,tmp1; \
+	movl S(0xC00,tmp4),tmp5; \
+	addl tmp1,tmp5; \
+	movl 4+P(N),tmp2; \
+	xorl tmp5,R
+
+#define BF_ENCRYPT_START \
+	BF_ROUND(L, R, 0); \
+	BF_ROUND(R, L, 1); \
+	BF_ROUND(L, R, 2); \
+	BF_ROUND(R, L, 3); \
+	BF_ROUND(L, R, 4); \
+	BF_ROUND(R, L, 5); \
+	BF_ROUND(L, R, 6); \
+	BF_ROUND(R, L, 7); \
+	BF_ROUND(L, R, 8); \
+	BF_ROUND(R, L, 9); \
+	BF_ROUND(L, R, 10); \
+	BF_ROUND(R, L, 11); \
+	BF_ROUND(L, R, 12); \
+	BF_ROUND(R, L, 13); \
+	BF_ROUND(L, R, 14); \
+	BF_ROUND(R, L, 15); \
+	movl BF_ptr,tmp5; \
+	xorl L,tmp2; \
+	movl P(17),L
+
+#define BF_ENCRYPT_END \
+	xorl R,L; \
+	movl tmp2,R
+
+DO_ALIGN(5)
+.globl _BF_body_r
+_BF_body_r:
+	movl 4(%esp),%eax
+	pushl %ebp
+	pushl %ebx
+	pushl %esi
+	pushl %edi
+	subl $BF_FRAME-8,%eax
+	xorl L,L
+	cmpl %esp,%eax
+	ja BF_die
+	xchgl %eax,%esp
+	xorl R,R
+	pushl %eax
+	leal 0x1000+BF_FRAME-4(ctx),%eax
+	movl 0x1000+BF_FRAME-4(ctx),tmp2
+	pushl %eax
+	xorl tmp3,tmp3
+BF_loop_P:
+	BF_ENCRYPT_START
+	addl $8,tmp5
+	BF_ENCRYPT_END
+	leal 0x1000+18*4+BF_FRAME(ctx),tmp1
+	movl tmp5,BF_ptr
+	cmpl tmp5,tmp1
+	movl L,-8(tmp5)
+	movl R,-4(tmp5)
+	movl P(0),tmp2
+	ja BF_loop_P
+	leal BF_FRAME(ctx),tmp5
+	xorl tmp3,tmp3
+	movl tmp5,BF_ptr
+BF_loop_S:
+	BF_ENCRYPT_START
+	BF_ENCRYPT_END
+	movl P(0),tmp2
+	movl L,(tmp5)
+	movl R,4(tmp5)
+	BF_ENCRYPT_START
+	BF_ENCRYPT_END
+	movl P(0),tmp2
+	movl L,8(tmp5)
+	movl R,12(tmp5)
+	BF_ENCRYPT_START
+	BF_ENCRYPT_END
+	movl P(0),tmp2
+	movl L,16(tmp5)
+	movl R,20(tmp5)
+	BF_ENCRYPT_START
+	addl $32,tmp5
+	BF_ENCRYPT_END
+	leal 0x1000+BF_FRAME(ctx),tmp1
+	movl tmp5,BF_ptr
+	cmpl tmp5,tmp1
+	movl P(0),tmp2
+	movl L,-8(tmp5)
+	movl R,-4(tmp5)
+	ja BF_loop_S
+	movl 4(%esp),%esp
+	popl %edi
+	popl %esi
+	popl %ebx
+	popl %ebp
+	ret
+
+BF_die:
+/* Oops, need to re-compile with a larger BF_FRAME. */
+	hlt
+	jmp BF_die
+
+#endif
+
+#if defined(__ELF__) && defined(__linux__)
+.section .note.GNU-stack,"",%progbits
+#endif

data/lib/bcrypt/engine.rb

@@ -2,9 +2,19 @@ module BCrypt
   # A Ruby wrapper for the bcrypt() C extension calls and the Java calls.
   class Engine
     # The default computational expense parameter.
-    DEFAULT_COST    = 10
+    DEFAULT_COST    = 12
     # The minimum cost supported by the algorithm.
     MIN_COST        = 4
+    # The maximum cost supported by the algorithm.
+    MAX_COST = 31
+    # Maximum possible size of bcrypt() secrets.
+    # Older versions of the bcrypt library would truncate passwords longer
+    # than 72 bytes, but newer ones do not. We truncate like the old library for
+    # forward compatibility. This way users upgrading from Ubuntu 18.04 to 20.04
+    # will not have their user passwords invalidated, for example.
+    # A max secret length greater than 255 leads to bcrypt returning nil.
+    # https://github.com/bcrypt-ruby/bcrypt-ruby/issues/225#issuecomment-875908425
+    MAX_SECRET_BYTESIZE = 72
     # Maximum possible size of bcrypt() salts.
     MAX_SALT_LENGTH = 16
 
@@ -28,8 +38,8 @@ module BCrypt
     #
     # Example:
     #
-    #   BCrypt::Engine::DEFAULT_COST            #=> 10
-    #   BCrypt::Password.create('secret').cost  #=> 10
+    #   BCrypt::Engine::DEFAULT_COST            #=> 12
+    #   BCrypt::Password.create('secret').cost  #=> 12
     #
     #   BCrypt::Engine.cost = 8
     #   BCrypt::Password.create('secret').cost  #=> 8
@@ -41,14 +51,16 @@ module BCrypt
     end
 
     # Given a secret and a valid salt (see BCrypt::Engine.generate_salt) calculates
-    # a bcrypt() password hash.
+    # a bcrypt() password hash. Secrets longer than 72 bytes are truncated.
     def self.hash_secret(secret, salt, _ = nil)
       if valid_secret?(secret)
         if valid_salt?(salt)
           if RUBY_PLATFORM == "java"
-            Java.bcrypt_jruby.BCrypt.hashpw(secret.to_s, salt.to_s)
+            Java.bcrypt_jruby.BCrypt.hashpw(secret.to_s.to_java_bytes, salt.to_s)
           else
-            __bc_crypt(secret.to_s, salt)
+            secret = secret.to_s
+            secret = secret.byteslice(0, MAX_SECRET_BYTESIZE) if secret && secret.bytesize > MAX_SECRET_BYTESIZE
+            __bc_crypt(secret, salt)
           end
         else
           raise Errors::InvalidSalt.new("invalid salt")
@@ -68,8 +80,7 @@ module BCrypt
         if RUBY_PLATFORM == "java"
           Java.bcrypt_jruby.BCrypt.gensalt(cost)
         else
-          prefix = "$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW"
-          __bc_salt(prefix, cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
+          __bc_salt("$2a$", cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
         end
       else
         raise Errors::InvalidCost.new("cost must be numeric and > 0")
@@ -78,7 +89,7 @@ module BCrypt
 
     # Returns true if +salt+ is a valid bcrypt() salt, false if not.
     def self.valid_salt?(salt)
-      !!(salt =~ /^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/)
+      !!(salt =~ /\A\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}\z/)
     end
 
     # Returns true if +secret+ is a valid bcrypt() secret, false if not.
@@ -99,7 +110,7 @@ module BCrypt
     #   # should take less than 1000ms
     #   BCrypt::Password.create("woo", :cost => 12)
     def self.calibrate(upper_time_limit_in_ms)
-      40.times do |i|
+      (BCrypt::Engine::MIN_COST..BCrypt::Engine::MAX_COST-1).each do |i|
         start_time = Time.now
         Password.create("testing testing", :cost => i+1)
         end_time = Time.now - start_time

data/lib/bcrypt/password.rb

@@ -7,7 +7,7 @@ module BCrypt
   #
   #   # hash a user's password
   #   @password = Password.create("my grand secret")
-  #   @password #=> "$2a$10$GtKs1Kbsig8ULHZzO1h2TetZfhO4Fmlxphp8bVKnUlZCBYYClPohG"
+  #   @password #=> "$2a$12$C5.FIvVDS9W4AYZ/Ib37YuWd/7ozp1UaMhU28UKrfSxp2oDchbi3K"
   #
   #   # store it safely
   #   @user.update_attribute(:password, @password)
@@ -42,12 +42,12 @@ module BCrypt
       #   @password = BCrypt::Password.create("my secret", :cost => 13)
       def create(secret, options = {})
         cost = options[:cost] || BCrypt::Engine.cost
-        raise ArgumentError if cost > 31
+        raise ArgumentError if cost > BCrypt::Engine::MAX_COST
         Password.new(BCrypt::Engine.hash_secret(secret, BCrypt::Engine.generate_salt(cost)))
       end
 
       def valid_hash?(h)
-        h =~ /^\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}$/
+        /\A\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}\z/ === h
       end
     end
 
@@ -62,6 +62,17 @@ module BCrypt
     end
 
     # Compares a potential secret against the hash. Returns true if the secret is the original secret, false otherwise.
+    #
+    # Comparison edge case/gotcha:
+    #
+    #    secret = "my secret"
+    #    @password = BCrypt::Password.create(secret)
+    #
+    #    @password == secret              # => True
+    #    @password == @password           # => False
+    #    @password == @password.to_s      # => False
+    #    @password.to_s == @password      # => True
+    #    @password.to_s == @password.to_s # => True
     def ==(secret)
       super(BCrypt::Engine.hash_secret(secret, @salt))
     end
@@ -83,5 +94,4 @@ module BCrypt
       return v.to_str, c.to_i, h[0, 29].to_str, mash[-31, 31].to_str
     end
   end
-
 end

data/lib/bcrypt.rb

@@ -9,12 +9,7 @@ else
   require "openssl"
 end
 
-begin
-  RUBY_VERSION =~ /(\d+.\d+)/
-  require "#{$1}/bcrypt_ext"
-rescue LoadError
-  require "bcrypt_ext"
-end
+require "bcrypt_ext"
 
 require 'bcrypt/error'
 require 'bcrypt/engine'

data/spec/bcrypt/engine_spec.rb

@@ -1,9 +1,23 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "..", "spec_helper"))
+require 'securerandom'
+
+describe 'BCrypt::Engine' do
+  describe '.calibrate(upper_time_limit_in_ms)' do
+    context 'a tiny upper time limit provided' do
+      it 'returns a minimum cost supported by the algorithm' do
+        expect(BCrypt::Engine.calibrate(0.001)).to eq(4)
+      end
+    end
+  end
+end
 
 describe "The BCrypt engine" do
   specify "should calculate the optimal cost factor to fit in a specific time" do
-    first = BCrypt::Engine.calibrate(100)
-    second = BCrypt::Engine.calibrate(400)
+    start_time = Time.now
+    BCrypt::Password.create("testing testing", :cost => BCrypt::Engine::MIN_COST + 1)
+    min_time_ms = (Time.now - start_time) * 1000
+    first = BCrypt::Engine.calibrate(min_time_ms)
+    second = BCrypt::Engine.calibrate(min_time_ms * 4)
     expect(second).to be > first
   end
 end
@@ -67,16 +81,96 @@ describe "Generating BCrypt hashes" do
   end
 
   specify "should be interoperable with other implementations" do
-    # test vectors from the OpenWall implementation <http://www.openwall.com/crypt/>
     test_vectors = [
+      # test vectors from the OpenWall implementation <https://www.openwall.com/crypt/>, found in wrapper.c
       ["U*U", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW"],
       ["U*U*", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK"],
       ["U*U*U", "$2a$05$XXXXXXXXXXXXXXXXXXXXXO", "$2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a"],
+      ["0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789chars after 72 are ignored", "$2a$05$abcdefghijklmnopqrstuu", "$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui"],
+      ["\xa3", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e"],
+      ["\xff\xff\xa3", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e"],
+      ["\xff\xff\xa3", "$2y$05$/OK.fbVrR/bpIqNJ5ianF.", "$2y$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e"],
+      ["\xff\xff\xa3", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.nqd1wy.pTMdcvrRWxyiGL2eMz.2a85."],
+      ["\xff\xff\xa3", "$2b$05$/OK.fbVrR/bpIqNJ5ianF.", "$2b$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e"],
+      ["\xa3", "$2y$05$/OK.fbVrR/bpIqNJ5ianF.", "$2y$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq"],
+      ["\xa3", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq"],
+      ["\xa3", "$2b$05$/OK.fbVrR/bpIqNJ5ianF.", "$2b$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq"],
+      ["1\xa3" "345", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi"],
+      ["\xff\xa3" "345", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi"],
+      ["\xff\xa3" "34" "\xff\xff\xff\xa3" "345", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi"],
+      ["\xff\xa3" "34" "\xff\xff\xff\xa3" "345", "$2y$05$/OK.fbVrR/bpIqNJ5ianF.", "$2y$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi"],
+      ["\xff\xa3" "34" "\xff\xff\xff\xa3" "345", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.ZC1JEJ8Z4gPfpe1JOr/oyPXTWl9EFd."],
+      ["\xff\xa3" "345", "$2y$05$/OK.fbVrR/bpIqNJ5ianF.", "$2y$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e"],
+      ["\xff\xa3" "345", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e"],
+      ["\xa3" "ab", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS"],
+      ["\xa3" "ab", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.", "$2x$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS"],
+      ["\xa3" "ab", "$2y$05$/OK.fbVrR/bpIqNJ5ianF.", "$2y$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS"],
+      ["\xd1\x91", "$2x$05$6bNw2HLQYeqHYyBfLMsv/O", "$2x$05$6bNw2HLQYeqHYyBfLMsv/OiwqTymGIGzFsA4hOTWebfehXHNprcAS"],
+      ["\xd0\xc1\xd2\xcf\xcc\xd8", "$2x$05$6bNw2HLQYeqHYyBfLMsv/O", "$2x$05$6bNw2HLQYeqHYyBfLMsv/O9LIGgn8OMzuDoHfof8AQimSGfcSWxnS"],
+      ["\xaa"*72+"chars after 72 are ignored as usual", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6"],
+      ["\xaa\x55"*36, "$2a$05$/OK.fbVrR/bpIqNJ5ianF.", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.R9xrDjiycxMbQE2bp.vgqlYpW5wx2yy"],
+      ["\x55\xaa\xff"*24, "$2a$05$/OK.fbVrR/bpIqNJ5ianF.", "$2a$05$/OK.fbVrR/bpIqNJ5ianF.9tQZzcJfm3uj2NvJ/n5xkhpqLrMpWCe"],
       ["", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.", "$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy"],
-      ["0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", "$2a$05$abcdefghijklmnopqrstuu", "$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui"]
+
+      # test vectors from the Java implementation, found in https://github.com/spring-projects/spring-security/blob/master/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java
+      ["", "$2a$06$DCq7YPn5Rq63x1Lad4cll.", "$2a$06$DCq7YPn5Rq63x1Lad4cll.TV4S6ytwfsfvkgY8jIucDrjc8deX1s."],
+      ["", "$2a$08$HqWuK6/Ng6sg9gQzbLrgb.", "$2a$08$HqWuK6/Ng6sg9gQzbLrgb.Tl.ZHfXLhvt/SgVyWhQqgqcZ7ZuUtye"],
+      ["", "$2a$10$k1wbIrmNyFAPwPVPSVa/ze", "$2a$10$k1wbIrmNyFAPwPVPSVa/zecw2BCEnBwVS2GbrmgzxFUOqW9dk4TCW"],
+      ["", "$2a$12$k42ZFHFWqBp3vWli.nIn8u", "$2a$12$k42ZFHFWqBp3vWli.nIn8uYyIkbvYRvodzbfbK18SSsY.CsIQPlxO"],
+      ["", "$2b$06$8eVN9RiU8Yki430X.wBvN.", "$2b$06$8eVN9RiU8Yki430X.wBvN.LWaqh2962emLVSVXVZIXJvDYLsV0oFu"],
+      ["", "$2b$06$NlgfNgpIc6GlHciCkMEW8u", "$2b$06$NlgfNgpIc6GlHciCkMEW8uKOBsyvAp7QwlHpysOlKdtyEw50WQua2"],
+      ["", "$2y$06$mFDtkz6UN7B3GZ2qi2hhaO", "$2y$06$mFDtkz6UN7B3GZ2qi2hhaO3OFWzNEdcY84ELw6iHCPruuQfSAXBLK"],
+      ["", "$2y$06$88kSqVttBx.e9iXTPCLa5u", "$2y$06$88kSqVttBx.e9iXTPCLa5uFPrVFjfLH4D.KcO6pBiAmvUkvdg0EYy"],
+      ["a", "$2a$06$m0CrhHm10qJ3lXRY.5zDGO", "$2a$06$m0CrhHm10qJ3lXRY.5zDGO3rS2KdeeWLuGmsfGlMfOxih58VYVfxe"],
+      ["a", "$2a$08$cfcvVd2aQ8CMvoMpP2EBfe", "$2a$08$cfcvVd2aQ8CMvoMpP2EBfeodLEkkFJ9umNEfPD18.hUF62qqlC/V."],
+      ["a", "$2a$10$k87L/MF28Q673VKh8/cPi.", "$2a$10$k87L/MF28Q673VKh8/cPi.SUl7MU/rWuSiIDDFayrKk/1tBsSQu4u"],
+      ["a", "$2a$12$8NJH3LsPrANStV6XtBakCe", "$2a$12$8NJH3LsPrANStV6XtBakCez0cKHXVxmvxIlcz785vxAIZrihHZpeS"],
+      ["a", "$2b$06$ehKGYiS4wt2HAr7KQXS5z.", "$2b$06$ehKGYiS4wt2HAr7KQXS5z.OaRjB4jHO7rBHJKlGXbqEH3QVJfO7iO"],
+      ["a", "$2b$06$PWxFFHA3HiCD46TNOZh30e", "$2b$06$PWxFFHA3HiCD46TNOZh30eNto1hg5uM9tHBlI4q/b03SW/gGKUYk6"],
+      ["a", "$2y$06$LUdD6/aD0e/UbnxVAVbvGu", "$2y$06$LUdD6/aD0e/UbnxVAVbvGuUmIoJ3l/OK94ThhadpMWwKC34LrGEey"],
+      ["a", "$2y$06$eqgY.T2yloESMZxgp76deO", "$2y$06$eqgY.T2yloESMZxgp76deOROa7nzXDxbO0k.PJvuClTa.Vu1AuemG"],
+      ["abc", "$2a$06$If6bvum7DFjUnE9p2uDeDu", "$2a$06$If6bvum7DFjUnE9p2uDeDu0YHzrHM6tf.iqN8.yx.jNN1ILEf7h0i"],
+      ["abc", "$2a$08$Ro0CUfOqk6cXEKf3dyaM7O", "$2a$08$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm"],
+      ["abc", "$2a$10$WvvTPHKwdBJ3uk0Z37EMR.", "$2a$10$WvvTPHKwdBJ3uk0Z37EMR.hLA2W6N9AEBhEgrAOljy2Ae5MtaSIUi"],
+      ["abc", "$2a$12$EXRkfkdmXn2gzds2SSitu.", "$2a$12$EXRkfkdmXn2gzds2SSitu.MW9.gAVqa9eLS1//RYtYCmB1eLHg.9q"],
+      ["abc", "$2b$06$5FyQoicpbox1xSHFfhhdXu", "$2b$06$5FyQoicpbox1xSHFfhhdXuR2oxLpO1rYsQh5RTkI/9.RIjtoF0/ta"],
+      ["abc", "$2b$06$1kJyuho8MCVP3HHsjnRMkO", "$2b$06$1kJyuho8MCVP3HHsjnRMkO1nvCOaKTqLnjG2TX1lyMFbXH/aOkgc."],
+      ["abc", "$2y$06$ACfku9dT6.H8VjdKb8nhlu", "$2y$06$ACfku9dT6.H8VjdKb8nhluaoBmhJyK7GfoNScEfOfrJffUxoUeCjK"],
+      ["abc", "$2y$06$9JujYcoWPmifvFA3RUP90e", "$2y$06$9JujYcoWPmifvFA3RUP90e5rSEHAb5Ye6iv3.G9ikiHNv5cxjNEse"],
+      ["abcdefghijklmnopqrstuvwxyz", "$2a$06$.rCVZVOThsIa97pEDOxvGu", "$2a$06$.rCVZVOThsIa97pEDOxvGuRRgzG64bvtJ0938xuqzv18d3ZpQhstC"],
+      ["abcdefghijklmnopqrstuvwxyz", "$2a$08$aTsUwsyowQuzRrDqFflhge", "$2a$08$aTsUwsyowQuzRrDqFflhgekJ8d9/7Z3GV3UcgvzQW3J5zMyrTvlz."],
+      ["abcdefghijklmnopqrstuvwxyz", "$2a$10$fVH8e28OQRj9tqiDXs1e1u", "$2a$10$fVH8e28OQRj9tqiDXs1e1uxpsjN0c7II7YPKXua2NAKYvM6iQk7dq"],
+      ["abcdefghijklmnopqrstuvwxyz", "$2a$12$D4G5f18o7aMMfwasBL7Gpu", "$2a$12$D4G5f18o7aMMfwasBL7GpuQWuP3pkrZrOAnqP.bmezbMng.QwJ/pG"],
+      ["abcdefghijklmnopqrstuvwxyz", "$2b$06$O8E89AQPj1zJQA05YvIAU.", "$2b$06$O8E89AQPj1zJQA05YvIAU.hMpj25BXri1bupl/Q7CJMlpLwZDNBoO"],
+      ["abcdefghijklmnopqrstuvwxyz", "$2b$06$PDqIWr./o/P3EE/P.Q0A/u", "$2b$06$PDqIWr./o/P3EE/P.Q0A/uFg86WL/PXTbaW267TDALEwDylqk00Z."],
+      ["abcdefghijklmnopqrstuvwxyz", "$2y$06$34MG90ZLah8/ZNr3ltlHCu", "$2y$06$34MG90ZLah8/ZNr3ltlHCuz6bachF8/3S5jTuzF1h2qg2cUk11sFW"],
+      ["abcdefghijklmnopqrstuvwxyz", "$2y$06$AK.hSLfMyw706iEW24i68u", "$2y$06$AK.hSLfMyw706iEW24i68uKAc2yorPTrB0cimvjJHEBUrPkOq7VvG"],
+      ["~!@#$%^&*()      ~!@#$%^&*()PNBFRD", "$2a$06$fPIsBO8qRqkjj273rfaOI.", "$2a$06$fPIsBO8qRqkjj273rfaOI.HtSV9jLDpTbZn782DC6/t7qT67P6FfO"],
+      ["~!@#$%^&*()      ~!@#$%^&*()PNBFRD", "$2a$08$Eq2r4G/76Wv39MzSX262hu", "$2a$08$Eq2r4G/76Wv39MzSX262huzPz612MZiYHVUJe/OcOql2jo4.9UxTW"],
+      ["~!@#$%^&*()      ~!@#$%^&*()PNBFRD", "$2a$10$LgfYWkbzEvQ4JakH7rOvHe", "$2a$10$LgfYWkbzEvQ4JakH7rOvHe0y8pHKF9OaFgwUZ2q7W2FFZmZzJYlfS"],
+      ["~!@#$%^&*()      ~!@#$%^&*()PNBFRD", "$2a$12$WApznUOJfkEGSmYRfnkrPO", "$2a$12$WApznUOJfkEGSmYRfnkrPOr466oFDCaj4b6HY3EXGvfxm43seyhgC"],
+      ["~!@#$%^&*()      ~!@#$%^&*()PNBFRD", "$2b$06$FGWA8OlY6RtQhXBXuCJ8Wu", "$2b$06$FGWA8OlY6RtQhXBXuCJ8WusVipRI15cWOgJK8MYpBHEkktMfbHRIG"],
+      ["~!@#$%^&*()      ~!@#$%^&*()PNBFRD", "$2b$06$G6aYU7UhUEUDJBdTgq3CRe", "$2b$06$G6aYU7UhUEUDJBdTgq3CRekiopCN4O4sNitFXrf5NUscsVZj3a2r6"],
+      ["~!@#$%^&*()      ~!@#$%^&*()PNBFRD", "$2y$06$sYDFHqOcXTjBgOsqC0WCKe", "$2y$06$sYDFHqOcXTjBgOsqC0WCKeMd3T1UhHuWQSxncLGtXDLMrcE6vFDti"],
+      ["~!@#$%^&*()      ~!@#$%^&*()PNBFRD", "$2y$06$6Xm0gCw4g7ZNDCEp4yTise", "$2y$06$6Xm0gCw4g7ZNDCEp4yTisez0kSdpXEl66MvdxGidnmChIe8dFmMnq"]
     ]
     for secret, salt, test_vector in test_vectors
       expect(BCrypt::Engine.hash_secret(secret, salt)).to eql(test_vector)
     end
   end
+
+  specify "should truncate long 1-byte character secrets to 72 bytes" do
+    # 'b' as a base triggers the failure at 256 characters, but 'a' does not.
+    too_long_secret = 'b'*(BCrypt::Engine::MAX_SECRET_BYTESIZE + 1)
+    just_right_secret = 'b'*BCrypt::Engine::MAX_SECRET_BYTESIZE
+    expect(BCrypt::Engine.hash_secret(too_long_secret, @salt)).to eq(BCrypt::Engine.hash_secret(just_right_secret, @salt))
+  end
+
+  specify "should truncate long multi-byte character secrets to 72 bytes" do
+    # 256 times causes bcrypt to return nil for libxcrypt > 4.4.18-4.
+    too_long_secret = '𐐷'*256
+    # 𐐷 takes 4 bytes in UTF-8. 18 times is 72 bytes
+    just_right_secret = '𐐷'*18
+    expect(BCrypt::Engine.hash_secret(too_long_secret, @salt)).to eq(BCrypt::Engine.hash_secret(just_right_secret, @salt))
+  end
 end

data/spec/bcrypt/password_spec.rb

@@ -1,4 +1,5 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "..", "spec_helper"))
+require 'securerandom'
 
 describe "Creating a hashed password" do
 
@@ -26,6 +27,10 @@ describe "Creating a hashed password" do
     expect { BCrypt::Password.create( ""         ) }.not_to raise_error
     expect { BCrypt::Password.create( String.new ) }.not_to raise_error
   end
+
+  specify "should tolerate very long string secrets" do
+    expect { BCrypt::Password.create("abcd"*1024) }.not_to raise_error
+  end
 end
 
 describe "Reading a hashed password" do
@@ -108,6 +113,7 @@ end
 describe "Validating a generated salt" do
   specify "should not accept an invalid salt" do
     expect(BCrypt::Engine.valid_salt?("invalid")).to eq(false)
+    expect(BCrypt::Engine.valid_salt?("invalid\n#{BCrypt::Engine.generate_salt}\ninvalid")).to eq(false)
   end
   specify "should accept a valid salt" do
     expect(BCrypt::Engine.valid_salt?(BCrypt::Engine.generate_salt)).to eq(true)
@@ -116,9 +122,10 @@ end
 
 describe "Validating a password hash" do
   specify "should not accept an invalid password" do
-    expect(BCrypt::Password.valid_hash?("i_am_so_not_valid")).to be_falsey
+    expect(BCrypt::Password.valid_hash?("i_am_so_not_valid")).to be(false)
+    expect(BCrypt::Password.valid_hash?("invalid\n#{BCrypt::Password.create "i_am_so_valid"}\ninvalid")).to be(false)
   end
   specify "should accept a valid password" do
-    expect(BCrypt::Password.valid_hash?(BCrypt::Password.create "i_am_so_valid")).to be_truthy
+    expect(BCrypt::Password.valid_hash?(BCrypt::Password.create "i_am_so_valid")).to be(true)
   end
 end

metadata

@@ -1,60 +1,47 @@
 --- !ruby/object:Gem::Specification
 name: bcrypt
 version: !ruby/object:Gem::Version
-  version: 3.1.12
+  version: 3.1.18
 platform: ruby
 authors:
 - Coda Hale
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-16 00:00:00.000000000 Z
+date: 2022-05-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake-compiler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: 1.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: 1.2.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3'
-- !ruby/object:Gem::Dependency
-  name: rdoc
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.12'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.12'
-description: ! "    bcrypt() is a sophisticated and secure hash algorithm designed
-  by The OpenBSD project\n    for hashing passwords. The bcrypt Ruby gem provides
-  a simple wrapper for safely handling\n    passwords.\n"
+description: |2
+      bcrypt() is a sophisticated and secure hash algorithm designed by The OpenBSD project
+      for hashing passwords. The bcrypt Ruby gem provides a simple wrapper for safely handling
+      passwords.
 email: coda.hale@gmail.com
 executables: []
 extensions:
@@ -68,26 +55,27 @@ extra_rdoc_files:
 - lib/bcrypt/error.rb
 - lib/bcrypt.rb
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".github/workflows/ruby.yml"
+- ".gitignore"
+- ".rspec"
 - CHANGELOG
 - COPYING
 - Gemfile
-- Gemfile.lock
 - README.md
 - Rakefile
-- appveyor.yml
 - bcrypt.gemspec
 - ext/jruby/bcrypt_jruby/BCrypt.java
 - ext/mri/bcrypt_ext.c
 - ext/mri/crypt.c
 - ext/mri/crypt.h
 - ext/mri/crypt_blowfish.c
+- ext/mri/crypt_blowfish.h
 - ext/mri/crypt_gensalt.c
+- ext/mri/crypt_gensalt.h
 - ext/mri/extconf.rb
 - ext/mri/ow-crypt.h
 - ext/mri/wrapper.c
+- ext/mri/x86.S
 - lib/bcrypt.rb
 - lib/bcrypt/engine.rb
 - lib/bcrypt/error.rb
@@ -97,33 +85,32 @@ files:
 - spec/bcrypt/error_spec.rb
 - spec/bcrypt/password_spec.rb
 - spec/spec_helper.rb
-homepage: https://github.com/codahale/bcrypt-ruby
+homepage: https://github.com/bcrypt-ruby/bcrypt-ruby
 licenses:
 - MIT
 metadata: {}
 post_install_message: 
 rdoc_options:
-- --title
+- "--title"
 - bcrypt-ruby
-- --line-numbers
-- --inline-source
-- --main
+- "--line-numbers"
+- "--inline-source"
+- "--main"
 - README.md
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: OpenBSD's bcrypt() password hashing algorithm.

data/.travis.yml

@@ -1,21 +0,0 @@
-language: ruby
-before_install:
-  - gem update --system
-  - gem install bundler
-rvm:
-  - 1.8
-  - 1.9
-  - 2.0
-  - 2.1
-  - 2.2
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-  - ruby-head
-  - jruby-18mode
-  - jruby-19mode
-  - jruby-head
-  - rbx-3
-  - ree
-script: bundle exec rake