bcrypt 3.1.12 → 3.1.20

data/ext/mri/x86.S

@@ -0,0 +1,203 @@
+/*
+ * Written by Solar Designer <solar at openwall.com> in 1998-2010.
+ * No copyright is claimed, and the software is hereby placed in the public
+ * domain.  In case this attempt to disclaim copyright and place the software
+ * in the public domain is deemed null and void, then the software is
+ * Copyright (c) 1998-2010 Solar Designer and it is hereby released to the
+ * general public under the following terms:
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * There's ABSOLUTELY NO WARRANTY, express or implied.
+ *
+ * See crypt_blowfish.c for more information.
+ */
+
+#ifdef __i386__
+
+#if defined(__OpenBSD__) && !defined(__ELF__)
+#define UNDERSCORES
+#define ALIGN_LOG
+#endif
+
+#if defined(__CYGWIN32__) || defined(__MINGW32__)
+#define UNDERSCORES
+#endif
+
+#ifdef __DJGPP__
+#define UNDERSCORES
+#define ALIGN_LOG
+#endif
+
+#ifdef UNDERSCORES
+#define _BF_body_r			__BF_body_r
+#endif
+
+#ifdef ALIGN_LOG
+#define DO_ALIGN(log)			.align (log)
+#elif defined(DUMBAS)
+#define DO_ALIGN(log)			.align 1 << log
+#else
+#define DO_ALIGN(log)			.align (1 << (log))
+#endif
+
+#define BF_FRAME			0x200
+#define ctx				%esp
+
+#define BF_ptr				(ctx)
+
+#define S(N, r)				N+BF_FRAME(ctx,r,4)
+#ifdef DUMBAS
+#define P(N)				0x1000+N+N+N+N+BF_FRAME(ctx)
+#else
+#define P(N)				0x1000+4*N+BF_FRAME(ctx)
+#endif
+
+/*
+ * This version of the assembly code is optimized primarily for the original
+ * Intel Pentium but is also careful to avoid partial register stalls on the
+ * Pentium Pro family of processors (tested up to Pentium III Coppermine).
+ *
+ * It is possible to do 15% faster on the Pentium Pro family and probably on
+ * many non-Intel x86 processors, but, unfortunately, that would make things
+ * twice slower for the original Pentium.
+ *
+ * An additional 2% speedup may be achieved with non-reentrant code.
+ */
+
+#define L				%esi
+#define R				%edi
+#define tmp1				%eax
+#define tmp1_lo				%al
+#define tmp2				%ecx
+#define tmp2_hi				%ch
+#define tmp3				%edx
+#define tmp3_lo				%dl
+#define tmp4				%ebx
+#define tmp4_hi				%bh
+#define tmp5				%ebp
+
+.text
+
+#define BF_ROUND(L, R, N) \
+	xorl L,tmp2; \
+	xorl tmp1,tmp1; \
+	movl tmp2,L; \
+	shrl $16,tmp2; \
+	movl L,tmp4; \
+	movb tmp2_hi,tmp1_lo; \
+	andl $0xFF,tmp2; \
+	movb tmp4_hi,tmp3_lo; \
+	andl $0xFF,tmp4; \
+	movl S(0,tmp1),tmp1; \
+	movl S(0x400,tmp2),tmp5; \
+	addl tmp5,tmp1; \
+	movl S(0x800,tmp3),tmp5; \
+	xorl tmp5,tmp1; \
+	movl S(0xC00,tmp4),tmp5; \
+	addl tmp1,tmp5; \
+	movl 4+P(N),tmp2; \
+	xorl tmp5,R
+
+#define BF_ENCRYPT_START \
+	BF_ROUND(L, R, 0); \
+	BF_ROUND(R, L, 1); \
+	BF_ROUND(L, R, 2); \
+	BF_ROUND(R, L, 3); \
+	BF_ROUND(L, R, 4); \
+	BF_ROUND(R, L, 5); \
+	BF_ROUND(L, R, 6); \
+	BF_ROUND(R, L, 7); \
+	BF_ROUND(L, R, 8); \
+	BF_ROUND(R, L, 9); \
+	BF_ROUND(L, R, 10); \
+	BF_ROUND(R, L, 11); \
+	BF_ROUND(L, R, 12); \
+	BF_ROUND(R, L, 13); \
+	BF_ROUND(L, R, 14); \
+	BF_ROUND(R, L, 15); \
+	movl BF_ptr,tmp5; \
+	xorl L,tmp2; \
+	movl P(17),L
+
+#define BF_ENCRYPT_END \
+	xorl R,L; \
+	movl tmp2,R
+
+DO_ALIGN(5)
+.globl _BF_body_r
+_BF_body_r:
+	movl 4(%esp),%eax
+	pushl %ebp
+	pushl %ebx
+	pushl %esi
+	pushl %edi
+	subl $BF_FRAME-8,%eax
+	xorl L,L
+	cmpl %esp,%eax
+	ja BF_die
+	xchgl %eax,%esp
+	xorl R,R
+	pushl %eax
+	leal 0x1000+BF_FRAME-4(ctx),%eax
+	movl 0x1000+BF_FRAME-4(ctx),tmp2
+	pushl %eax
+	xorl tmp3,tmp3
+BF_loop_P:
+	BF_ENCRYPT_START
+	addl $8,tmp5
+	BF_ENCRYPT_END
+	leal 0x1000+18*4+BF_FRAME(ctx),tmp1
+	movl tmp5,BF_ptr
+	cmpl tmp5,tmp1
+	movl L,-8(tmp5)
+	movl R,-4(tmp5)
+	movl P(0),tmp2
+	ja BF_loop_P
+	leal BF_FRAME(ctx),tmp5
+	xorl tmp3,tmp3
+	movl tmp5,BF_ptr
+BF_loop_S:
+	BF_ENCRYPT_START
+	BF_ENCRYPT_END
+	movl P(0),tmp2
+	movl L,(tmp5)
+	movl R,4(tmp5)
+	BF_ENCRYPT_START
+	BF_ENCRYPT_END
+	movl P(0),tmp2
+	movl L,8(tmp5)
+	movl R,12(tmp5)
+	BF_ENCRYPT_START
+	BF_ENCRYPT_END
+	movl P(0),tmp2
+	movl L,16(tmp5)
+	movl R,20(tmp5)
+	BF_ENCRYPT_START
+	addl $32,tmp5
+	BF_ENCRYPT_END
+	leal 0x1000+BF_FRAME(ctx),tmp1
+	movl tmp5,BF_ptr
+	cmpl tmp5,tmp1
+	movl P(0),tmp2
+	movl L,-8(tmp5)
+	movl R,-4(tmp5)
+	ja BF_loop_S
+	movl 4(%esp),%esp
+	popl %edi
+	popl %esi
+	popl %ebx
+	popl %ebp
+	ret
+
+BF_die:
+/* Oops, need to re-compile with a larger BF_FRAME. */
+	hlt
+	jmp BF_die
+
+#endif
+
+#if defined(__ELF__) && defined(__linux__)
+.section .note.GNU-stack,"",%progbits
+#endif

data/lib/bcrypt/engine.rb

@@ -2,9 +2,19 @@ module BCrypt
   # A Ruby wrapper for the bcrypt() C extension calls and the Java calls.
   class Engine
     # The default computational expense parameter.
-    DEFAULT_COST    = 10
+    DEFAULT_COST    = 12
     # The minimum cost supported by the algorithm.
     MIN_COST        = 4
+    # The maximum cost supported by the algorithm.
+    MAX_COST = 31
+    # Maximum possible size of bcrypt() secrets.
+    # Older versions of the bcrypt library would truncate passwords longer
+    # than 72 bytes, but newer ones do not. We truncate like the old library for
+    # forward compatibility. This way users upgrading from Ubuntu 18.04 to 20.04
+    # will not have their user passwords invalidated, for example.
+    # A max secret length greater than 255 leads to bcrypt returning nil.
+    # https://github.com/bcrypt-ruby/bcrypt-ruby/issues/225#issuecomment-875908425
+    MAX_SECRET_BYTESIZE = 72
     # Maximum possible size of bcrypt() salts.
     MAX_SALT_LENGTH = 16
 
@@ -28,8 +38,8 @@ module BCrypt
     #
     # Example:
     #
-    #   BCrypt::Engine::DEFAULT_COST            #=> 10
-    #   BCrypt::Password.create('secret').cost  #=> 10
+    #   BCrypt::Engine::DEFAULT_COST            #=> 12
+    #   BCrypt::Password.create('secret').cost  #=> 12
     #
     #   BCrypt::Engine.cost = 8
     #   BCrypt::Password.create('secret').cost  #=> 8
@@ -41,14 +51,23 @@ module BCrypt
     end
 
     # Given a secret and a valid salt (see BCrypt::Engine.generate_salt) calculates
-    # a bcrypt() password hash.
+    # a bcrypt() password hash. Secrets longer than 72 bytes are truncated.
     def self.hash_secret(secret, salt, _ = nil)
+      unless _.nil?
+        warn "[DEPRECATION] Passing the third argument to " \
+             "`BCrypt::Engine.hash_secret` is deprecated. " \
+             "Please do not pass the third argument which " \
+             "is currently not used."
+      end
+
       if valid_secret?(secret)
         if valid_salt?(salt)
           if RUBY_PLATFORM == "java"
-            Java.bcrypt_jruby.BCrypt.hashpw(secret.to_s, salt.to_s)
+            Java.bcrypt_jruby.BCrypt.hashpw(secret.to_s.to_java_bytes, salt.to_s)
           else
-            __bc_crypt(secret.to_s, salt)
+            secret = secret.to_s
+            secret = secret.byteslice(0, MAX_SECRET_BYTESIZE) if secret && secret.bytesize > MAX_SECRET_BYTESIZE
+            __bc_crypt(secret, salt)
           end
         else
           raise Errors::InvalidSalt.new("invalid salt")
@@ -68,8 +87,7 @@ module BCrypt
         if RUBY_PLATFORM == "java"
           Java.bcrypt_jruby.BCrypt.gensalt(cost)
         else
-          prefix = "$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW"
-          __bc_salt(prefix, cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
+          __bc_salt("$2a$", cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
         end
       else
         raise Errors::InvalidCost.new("cost must be numeric and > 0")
@@ -78,7 +96,7 @@ module BCrypt
 
     # Returns true if +salt+ is a valid bcrypt() salt, false if not.
     def self.valid_salt?(salt)
-      !!(salt =~ /^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/)
+      !!(salt =~ /\A\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}\z/)
     end
 
     # Returns true if +secret+ is a valid bcrypt() secret, false if not.
@@ -99,7 +117,7 @@ module BCrypt
     #   # should take less than 1000ms
     #   BCrypt::Password.create("woo", :cost => 12)
     def self.calibrate(upper_time_limit_in_ms)
-      40.times do |i|
+      (BCrypt::Engine::MIN_COST..BCrypt::Engine::MAX_COST-1).each do |i|
         start_time = Time.now
         Password.create("testing testing", :cost => i+1)
         end_time = Time.now - start_time

data/lib/bcrypt/password.rb

@@ -7,7 +7,7 @@ module BCrypt
   #
   #   # hash a user's password
   #   @password = Password.create("my grand secret")
-  #   @password #=> "$2a$10$GtKs1Kbsig8ULHZzO1h2TetZfhO4Fmlxphp8bVKnUlZCBYYClPohG"
+  #   @password #=> "$2a$12$C5.FIvVDS9W4AYZ/Ib37YuWd/7ozp1UaMhU28UKrfSxp2oDchbi3K"
   #
   #   # store it safely
   #   @user.update_attribute(:password, @password)
@@ -42,12 +42,12 @@ module BCrypt
       #   @password = BCrypt::Password.create("my secret", :cost => 13)
       def create(secret, options = {})
         cost = options[:cost] || BCrypt::Engine.cost
-        raise ArgumentError if cost > 31
+        raise ArgumentError if cost > BCrypt::Engine::MAX_COST
         Password.new(BCrypt::Engine.hash_secret(secret, BCrypt::Engine.generate_salt(cost)))
       end
 
       def valid_hash?(h)
-        h =~ /^\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}$/
+        /\A\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}\z/ === h
       end
     end
 
@@ -62,6 +62,17 @@ module BCrypt
     end
 
     # Compares a potential secret against the hash. Returns true if the secret is the original secret, false otherwise.
+    #
+    # Comparison edge case/gotcha:
+    #
+    #    secret = "my secret"
+    #    @password = BCrypt::Password.create(secret)
+    #
+    #    @password == secret              # => True
+    #    @password == @password           # => False
+    #    @password == @password.to_s      # => False
+    #    @password.to_s == @password      # => True
+    #    @password.to_s == @password.to_s # => True
     def ==(secret)
       super(BCrypt::Engine.hash_secret(secret, @salt))
     end
@@ -83,5 +94,4 @@ module BCrypt
       return v.to_str, c.to_i, h[0, 29].to_str, mash[-31, 31].to_str
     end
   end
-
 end

data/lib/bcrypt.rb

@@ -9,12 +9,7 @@ else
   require "openssl"
 end
 
-begin
-  RUBY_VERSION =~ /(\d+.\d+)/
-  require "#{$1}/bcrypt_ext"
-rescue LoadError
-  require "bcrypt_ext"
-end
+require "bcrypt_ext"
 
 require 'bcrypt/error'
 require 'bcrypt/engine'

metadata

@@ -1,60 +1,47 @@
 --- !ruby/object:Gem::Specification
 name: bcrypt
 version: !ruby/object:Gem::Version
-  version: 3.1.12
+  version: 3.1.20
 platform: ruby
 authors:
 - Coda Hale
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-05-16 00:00:00.000000000 Z
+date: 2023-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake-compiler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: 1.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: 1.2.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3'
-- !ruby/object:Gem::Dependency
-  name: rdoc
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.12'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '3.12'
-description: ! "    bcrypt() is a sophisticated and secure hash algorithm designed
-  by The OpenBSD project\n    for hashing passwords. The bcrypt Ruby gem provides
-  a simple wrapper for safely handling\n    passwords.\n"
+description: |2
+      bcrypt() is a sophisticated and secure hash algorithm designed by The OpenBSD project
+      for hashing passwords. The bcrypt Ruby gem provides a simple wrapper for safely handling
+      passwords.
 email: coda.hale@gmail.com
 executables: []
 extensions:
@@ -63,68 +50,57 @@ extra_rdoc_files:
 - README.md
 - COPYING
 - CHANGELOG
-- lib/bcrypt/password.rb
 - lib/bcrypt/engine.rb
 - lib/bcrypt/error.rb
+- lib/bcrypt/password.rb
 - lib/bcrypt.rb
 files:
-- .gitignore
-- .rspec
-- .travis.yml
 - CHANGELOG
 - COPYING
-- Gemfile
-- Gemfile.lock
 - README.md
-- Rakefile
-- appveyor.yml
-- bcrypt.gemspec
 - ext/jruby/bcrypt_jruby/BCrypt.java
 - ext/mri/bcrypt_ext.c
 - ext/mri/crypt.c
 - ext/mri/crypt.h
 - ext/mri/crypt_blowfish.c
+- ext/mri/crypt_blowfish.h
 - ext/mri/crypt_gensalt.c
+- ext/mri/crypt_gensalt.h
 - ext/mri/extconf.rb
 - ext/mri/ow-crypt.h
 - ext/mri/wrapper.c
+- ext/mri/x86.S
 - lib/bcrypt.rb
 - lib/bcrypt/engine.rb
 - lib/bcrypt/error.rb
 - lib/bcrypt/password.rb
-- spec/TestBCrypt.java
-- spec/bcrypt/engine_spec.rb
-- spec/bcrypt/error_spec.rb
-- spec/bcrypt/password_spec.rb
-- spec/spec_helper.rb
-homepage: https://github.com/codahale/bcrypt-ruby
+homepage: https://github.com/bcrypt-ruby/bcrypt-ruby
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
-- --title
+- "--title"
 - bcrypt-ruby
-- --line-numbers
-- --inline-source
-- --main
+- "--line-numbers"
+- "--inline-source"
+- "--main"
 - README.md
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: OpenBSD's bcrypt() password hashing algorithm.
 test_files: []

data/.gitignore

@@ -1,9 +0,0 @@
-doc
-pkg
-tmp
-*.o
-*.bundle
-*.so
-*.jar
-.DS_Store
-.rbenv-gemsets

data/.rspec

@@ -1,3 +0,0 @@
---color
---backtrace
---format documentation

data/.travis.yml

@@ -1,21 +0,0 @@
-language: ruby
-before_install:
-  - gem update --system
-  - gem install bundler
-rvm:
-  - 1.8
-  - 1.9
-  - 2.0
-  - 2.1
-  - 2.2
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-  - ruby-head
-  - jruby-18mode
-  - jruby-19mode
-  - jruby-head
-  - rbx-3
-  - ree
-script: bundle exec rake

data/Gemfile

@@ -1,2 +0,0 @@
-source 'https://rubygems.org'
-gemspec

data/Gemfile.lock

@@ -1,44 +0,0 @@
-PATH
-  remote: .
-  specs:
-    bcrypt (3.1.12)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    diff-lcs (1.2.5)
-    json (1.8.6)
-    json (1.8.6-java)
-    rake (10.4.2)
-    rake-compiler (0.9.5)
-      rake
-    rdoc (3.12.2)
-      json (~> 1.4)
-    rspec (3.3.0)
-      rspec-core (~> 3.3.0)
-      rspec-expectations (~> 3.3.0)
-      rspec-mocks (~> 3.3.0)
-    rspec-core (3.3.2)
-      rspec-support (~> 3.3.0)
-    rspec-expectations (3.3.1)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.3.0)
-    rspec-mocks (3.3.2)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.3.0)
-    rspec-support (3.3.0)
-
-PLATFORMS
-  java
-  ruby
-  x64-mingw32
-  x86-mingw32
-
-DEPENDENCIES
-  bcrypt!
-  rake-compiler (~> 0.9.2)
-  rdoc (~> 3.12)
-  rspec (>= 3)
-
-BUNDLED WITH
-   1.16.1

data/Rakefile

@@ -1,97 +0,0 @@
-require 'rspec/core/rake_task'
-require 'rubygems/package_task'
-require 'rake/extensiontask'
-require 'rake/javaextensiontask'
-require 'rake/clean'
-require 'rdoc/task'
-require 'benchmark'
-
-CLEAN.include(
-  "tmp",
-  "lib/1.8",
-  "lib/1.9",
-  "lib/2.0",
-  "lib/2.1",
-  "lib/2.2",
-  "lib/2.3",
-  "lib/2.4",
-  "lib/2.5",
-  "lib/bcrypt_ext.jar",
-  "lib/bcrypt_ext.so"
-)
-CLOBBER.include(
-  "doc",
-  "pkg"
-)
-
-GEMSPEC = Gem::Specification.load("bcrypt.gemspec")
-
-task :default => [:compile, :spec]
-
-desc "Run all specs"
-RSpec::Core::RakeTask.new do |t|
-  t.pattern = 'spec/**/*_spec.rb'
-  t.ruby_opts = '-w'
-end
-
-desc "Run all specs, with coverage testing"
-RSpec::Core::RakeTask.new(:rcov) do |t|
-  t.pattern = 'spec/**/*_spec.rb'
-  t.rcov = true
-  t.rcov_path = 'doc/coverage'
-  t.rcov_opts = ['--exclude', 'rspec,diff-lcs,rcov,_spec,_helper']
-end
-
-desc 'Generate RDoc'
-RDoc::Task.new do |rdoc|
-  rdoc.rdoc_dir = 'doc/rdoc'
-  rdoc.options += GEMSPEC.rdoc_options
-  rdoc.template = ENV['TEMPLATE'] if ENV['TEMPLATE']
-  rdoc.rdoc_files.include(*GEMSPEC.extra_rdoc_files)
-end
-
-Gem::PackageTask.new(GEMSPEC) do |pkg|
-  pkg.need_zip = true
-  pkg.need_tar = true
-end
-
-if RUBY_PLATFORM =~ /java/
-  Rake::JavaExtensionTask.new('bcrypt_ext', GEMSPEC) do |ext|
-    ext.ext_dir = 'ext/jruby'
-  end
-else
-  Rake::ExtensionTask.new("bcrypt_ext", GEMSPEC) do |ext|
-    ext.ext_dir = 'ext/mri'
-    ext.cross_compile = true
-    ext.cross_platform = ['x86-mingw32', 'x64-mingw32']
-  end
-
-  ENV['RUBY_CC_VERSION'].to_s.split(':').each do |ruby_version|
-    platforms = {
-      "x86-mingw32" => "i686-w64-mingw32",
-      "x64-mingw32" => "x86_64-w64-mingw32"
-    }
-    platforms.each do |platform, prefix|
-      task "copy:bcrypt_ext:#{platform}:#{ruby_version}" do |t|
-        %w[lib tmp/#{platform}/stage/lib].each do |dir|
-          so_file = "#{dir}/#{ruby_version[/^\d+\.\d+/]}/bcrypt_ext.so"
-          if File.exists?(so_file)
-            sh "#{prefix}-strip -S #{so_file}"
-          end
-        end
-      end
-    end
-  end
-end
-
-desc "Run a set of benchmarks on the compiled extension."
-task :benchmark do
-  TESTS = 100
-  TEST_PWD = "this is a test"
-  require File.expand_path(File.join(File.dirname(__FILE__), "lib", "bcrypt"))
-  Benchmark.bmbm do |results|
-    4.upto(10) do |n|
-      results.report("cost #{n}:") { TESTS.times { BCrypt::Password.create(TEST_PWD, :cost => n) } }
-    end
-  end
-end