bcrypt 3.1.14

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 91feef6cbd30f7651c84a8b01e8c89e0072314bef8d3d980df592c74646945fe
4
+ data.tar.gz: 612ec7a098b11202dcee1e2a1d24dbe5c0d00c07938e69d4bf2c26c6f4767edc
5
+ SHA512:
6
+ metadata.gz: '08e1645f62b5b0bf9211a74d47f7660d6491ae218c073e11f135177476d33d36b267994e2ada56c10cd66e45157d3237fd3ed275f369f105e345b6e17b1cccc7'
7
+ data.tar.gz: 59d0d18110c202e8fddb58c97f3c6e33cafe767e6a567e02b8b0aff7ce6e9af345d723df8d59d4f7aa557a8dcc9ac22863b298e9cb37c990f5bf1514cbc32526
@@ -0,0 +1,9 @@
1
+ doc
2
+ pkg
3
+ tmp
4
+ *.o
5
+ *.bundle
6
+ *.so
7
+ *.jar
8
+ .DS_Store
9
+ .rbenv-gemsets
data/.rspec ADDED
@@ -0,0 +1,3 @@
1
+ --color
2
+ --backtrace
3
+ --format documentation
@@ -0,0 +1,23 @@
1
+ language: ruby
2
+ before_install:
3
+ - "echo 'gem: --no-rdoc --no-ri' > ~/.gemrc"
4
+ - gem update --system 2.7.8
5
+ - gem install bundler -v 1.17.3
6
+ rvm:
7
+ - 2.0
8
+ - 2.1
9
+ - 2.2
10
+ - 2.3
11
+ - 2.4
12
+ - 2.5
13
+ - 2.6
14
+ - ruby-head
15
+ - jruby-head
16
+ - rbx-3
17
+ matrix:
18
+ allow_failures:
19
+ - rvm: ruby-head
20
+ - rvm: jruby-head
21
+ - rvm: rbx-3
22
+ fast_finish: true
23
+ script: bundle exec rake
@@ -0,0 +1,98 @@
1
+ 3.1.14 July 21 2020
2
+ - Start calibration from the minimum cost supported by the algorithm [GH #206 by @sergey-alekseev]
3
+
4
+ 3.1.13 May 31 2019
5
+ - No longer include compiled binaries for Windows. See GH #173.
6
+ - Update C and Java implementations to latest versions [GH #182 by @fonica]
7
+ - Bump default cost to 12 [GH #181 by @bdewater]
8
+ - Remove explicit support for Rubies 1.8 and 1.9
9
+ - Define SKIP_GNU token when building extension (Fixes FreeBSD >= 12) [GH #189 by @adam12]
10
+
11
+ 3.1.12 May 16 2018
12
+ - Add support for Ruby 2.3, 2.4, and 2.5 in compiled Windows binaries
13
+ - Fix compatibility with libxcrypt [GH #164 by @besser82]
14
+
15
+ 3.1.11 Mar 06 2016
16
+ - Add support for Ruby 2.2 in compiled Windows binaries
17
+
18
+ 3.1.10 Jan 28 2015
19
+ - Fix issue with dumping a BCrypt::Password instance to YAML in Ruby 2.2 [GH #107 by @mattwildig]
20
+
21
+ 3.1.9 Oct 23 2014
22
+ - Rebuild corrupt binaries
23
+
24
+ 3.1.8 Oct 23 2014
25
+ - Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
26
+
27
+ 3.1.7 Feb 24 2014
28
+ - Rebuild corrupt Java binary version of gem [GH #90]
29
+ - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
30
+
31
+ 3.1.6 Feb 21 2014
32
+ - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
33
+ bugs. It felt wrong to have that at a higher version than the real gem, so
34
+ the real gem is getting bumped to 3.1.6.
35
+
36
+ 3.1.3 Feb 21 2014
37
+ - Add support for Ruby 2.1 in compiled Windows binaries
38
+ - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
39
+
40
+ 3.1.2 Aug 26 2013
41
+ - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
42
+ - Add support for 64-bit Windows
43
+
44
+ 3.1.1 Jul 10 2013
45
+ - Remove support for Ruby 1.8 in compiled win32 binaries
46
+
47
+ 3.1.0 May 07 2013
48
+ - Add BCrypt::Password.valid_hash?(str) to check if a string is a valid bcrypt password hash
49
+ - BCrypt::Password cost should be set to DEFAULT_COST if nil
50
+ - Add BCrypt::Engine.cost attribute for getting/setting a default cost externally
51
+
52
+ 3.0.1 Sep 12 2011
53
+ - create raises an exception if the cost is higher than 31. GH #27
54
+
55
+ 3.0.0 Aug 24 2011
56
+ - Bcrypt C implementation replaced with a public domain implementation.
57
+ - License changed to MIT
58
+
59
+ 2.1.2 Sep 16 2009
60
+ - Fixed support for Solaris, OpenSolaris.
61
+
62
+ 2.1.1 Aug 14 2009
63
+ - JVM 1.4/1.5 compatibility [Hongli Lai]
64
+
65
+ 2.1.0 Aug 12 2009
66
+ - Improved code coverage, unit tests, and build chain. [Hongli Lai]
67
+ - Ruby 1.9 compatibility fixes. [Hongli Lai]
68
+ - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
69
+ - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
70
+
71
+ 2.0.5 Mar 11 2009
72
+ - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
73
+
74
+ 2.0.4 Mar 09 2009
75
+ - Added Ruby 1.9 compatibility. [Genki Takiuchi]
76
+ - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
77
+
78
+ 2.0.3 May 07 2008
79
+ - Made exception classes descend from StandardError, not Exception [Dan42]
80
+ - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
81
+ sorting issues. [Lee Pope]
82
+
83
+ 2.0.2 Jun 06 2007
84
+ - Fixed example code in the README [Winson]
85
+ - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
86
+
87
+ 2.0.1 Mar 09 2007
88
+ - Fixed load path issues
89
+ - Fixed crashes when hashing weird values (e.g., false, etc.)
90
+
91
+ 2.0.0 Mar 07 2007
92
+ - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
93
+ - Added BCrypt::Password#is_password?.
94
+ - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
95
+ - Added validation of secrets -- nil is not healthy.
96
+
97
+ 1.0.0 Feb 27 2007
98
+ - Initial release.
data/COPYING ADDED
@@ -0,0 +1,28 @@
1
+ (The MIT License)
2
+
3
+ Copyright 2007-2011:
4
+
5
+ * Coda Hale <coda.hale@gmail.com>
6
+
7
+ C implementation of the BCrypt algorithm by Solar Designer and placed in the
8
+ public domain.
9
+ jBCrypt is Copyright (c) 2006 Damien Miller <djm@mindrot.org>.
10
+
11
+ Permission is hereby granted, free of charge, to any person obtaining
12
+ a copy of this software and associated documentation files (the
13
+ 'Software'), to deal in the Software without restriction, including
14
+ without limitation the rights to use, copy, modify, merge, publish,
15
+ distribute, sublicense, and/or sell copies of the Software, and to
16
+ permit persons to whom the Software is furnished to do so, subject to
17
+ the following conditions:
18
+
19
+ The above copyright notice and this permission notice shall be
20
+ included in all copies or substantial portions of the Software.
21
+
22
+ THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
23
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
24
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
25
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
26
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
27
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
28
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/Gemfile ADDED
@@ -0,0 +1,2 @@
1
+ source 'https://rubygems.org'
2
+ gemspec
@@ -0,0 +1,36 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ bcrypt (3.1.14)
5
+
6
+ GEM
7
+ remote: https://rubygems.org/
8
+ specs:
9
+ diff-lcs (1.4.4)
10
+ rake (13.0.1)
11
+ rake-compiler (0.9.9)
12
+ rake
13
+ rspec (3.9.0)
14
+ rspec-core (~> 3.9.0)
15
+ rspec-expectations (~> 3.9.0)
16
+ rspec-mocks (~> 3.9.0)
17
+ rspec-core (3.9.2)
18
+ rspec-support (~> 3.9.3)
19
+ rspec-expectations (3.9.2)
20
+ diff-lcs (>= 1.2.0, < 2.0)
21
+ rspec-support (~> 3.9.0)
22
+ rspec-mocks (3.9.1)
23
+ diff-lcs (>= 1.2.0, < 2.0)
24
+ rspec-support (~> 3.9.0)
25
+ rspec-support (3.9.3)
26
+
27
+ PLATFORMS
28
+ ruby
29
+
30
+ DEPENDENCIES
31
+ bcrypt!
32
+ rake-compiler (~> 0.9.2)
33
+ rspec (>= 3)
34
+
35
+ BUNDLED WITH
36
+ 2.2.0.dev
@@ -0,0 +1,194 @@
1
+ # bcrypt-ruby
2
+
3
+ An easy way to keep your users' passwords secure.
4
+
5
+ * https://github.com/codahale/bcrypt-ruby/tree/master
6
+
7
+ [![Travis Build Status](https://travis-ci.org/codahale/bcrypt-ruby.svg?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
8
+ [![AppVeyor Build Status](https://ci.appveyor.com/api/projects/status/6fplerx9lnaf0hyo?svg=true)](https://ci.appveyor.com/project/TJSchuck35975/bcrypt-ruby)
9
+
10
+
11
+ ## Why you should use `bcrypt()`
12
+
13
+ If you store user passwords in the clear, then an attacker who steals a copy of your database has a giant list of emails
14
+ and passwords. Some of your users will only have one password -- for their email account, for their banking account, for
15
+ your application. A simple hack could escalate into massive identity theft.
16
+
17
+ It's your responsibility as a web developer to make your web application secure -- blaming your users for not being
18
+ security experts is not a professional response to risk.
19
+
20
+ `bcrypt()` allows you to easily harden your application against these kinds of attacks.
21
+
22
+ *Note*: JRuby versions of the bcrypt gem `<= 2.1.3` had a [security
23
+ vulnerability](https://www.mindrot.org/files/jBCrypt/internat.adv) that
24
+ was fixed in `>= 2.1.4`. If you used a vulnerable version to hash
25
+ passwords with international characters in them, you will need to
26
+ re-hash those passwords. This vulnerability only affected the JRuby gem.
27
+
28
+ ## How to install bcrypt
29
+
30
+ gem install bcrypt
31
+
32
+ The bcrypt gem is available on the following Ruby platforms:
33
+
34
+ * JRuby
35
+ * RubyInstaller 2.0 – 2.5 builds on Windows with the DevKit
36
+ * Any 2.0 – 2.5 Ruby on a BSD/OS X/Linux system with a compiler
37
+
38
+ ## How to use `bcrypt()` in your Rails application
39
+
40
+ *Note*: Rails versions >= 3 ship with `ActiveModel::SecurePassword` which uses bcrypt-ruby.
41
+ `has_secure_password` [docs](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
42
+ implements a similar authentication strategy to the code below.
43
+
44
+ ### The _User_ model
45
+ ```ruby
46
+ require 'bcrypt'
47
+
48
+ class User < ActiveRecord::Base
49
+ # users.password_hash in the database is a :string
50
+ include BCrypt
51
+
52
+ def password
53
+ @password ||= Password.new(password_hash)
54
+ end
55
+
56
+ def password=(new_password)
57
+ @password = Password.create(new_password)
58
+ self.password_hash = @password
59
+ end
60
+ end
61
+ ```
62
+ ### Creating an account
63
+ ```ruby
64
+ def create
65
+ @user = User.new(params[:user])
66
+ @user.password = params[:password]
67
+ @user.save!
68
+ end
69
+ ```
70
+ ### Authenticating a user
71
+ ```ruby
72
+ def login
73
+ @user = User.find_by_email(params[:email])
74
+ if @user.password == params[:password]
75
+ give_token
76
+ else
77
+ redirect_to home_url
78
+ end
79
+ end
80
+ ```
81
+ ## How to use bcrypt-ruby in general
82
+ ```ruby
83
+ require 'bcrypt'
84
+
85
+ my_password = BCrypt::Password.create("my password")
86
+ #=> "$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey"
87
+
88
+ my_password.version #=> "2a"
89
+ my_password.cost #=> 12
90
+ my_password == "my password" #=> true
91
+ my_password == "not my password" #=> false
92
+
93
+ my_password = BCrypt::Password.new("$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey")
94
+ my_password == "my password" #=> true
95
+ my_password == "not my password" #=> false
96
+ ```
97
+ Check the rdocs for more details -- BCrypt, BCrypt::Password.
98
+
99
+ ## How `bcrypt()` works
100
+
101
+ `bcrypt()` is a hashing algorithm designed by Niels Provos and David Mazières of the OpenBSD Project.
102
+
103
+ ### Background
104
+
105
+ Hash algorithms take a chunk of data (e.g., your user's password) and create a "digital fingerprint," or hash, of it.
106
+ Because this process is not reversible, there's no way to go from the hash back to the password.
107
+
108
+ In other words:
109
+
110
+ hash(p) #=> <unique gibberish>
111
+
112
+ You can store the hash and check it against a hash made of a potentially valid password:
113
+
114
+ <unique gibberish> =? hash(just_entered_password)
115
+
116
+ ### Rainbow Tables
117
+
118
+ But even this has weaknesses -- attackers can just run lists of possible passwords through the same algorithm, store the
119
+ results in a big database, and then look up the passwords by their hash:
120
+
121
+ PrecomputedPassword.find_by_hash(<unique gibberish>).password #=> "secret1"
122
+
123
+ ### Salts
124
+
125
+ The solution to this is to add a small chunk of random data -- called a salt -- to the password before it's hashed:
126
+
127
+ hash(salt + p) #=> <really unique gibberish>
128
+
129
+ The salt is then stored along with the hash in the database, and used to check potentially valid passwords:
130
+
131
+ <really unique gibberish> =? hash(salt + just_entered_password)
132
+
133
+ bcrypt-ruby automatically handles the storage and generation of these salts for you.
134
+
135
+ Adding a salt means that an attacker has to have a gigantic database for each unique salt -- for a salt made of 4
136
+ letters, that's 456,976 different databases. Pretty much no one has that much storage space, so attackers try a
137
+ different, slower method -- throw a list of potential passwords at each individual password:
138
+
139
+ hash(salt + "aadvark") =? <really unique gibberish>
140
+ hash(salt + "abacus") =? <really unique gibberish>
141
+ etc.
142
+
143
+ This is much slower than the big database approach, but most hash algorithms are pretty quick -- and therein lies the
144
+ problem. Hash algorithms aren't usually designed to be slow, they're designed to turn gigabytes of data into secure
145
+ fingerprints as quickly as possible. `bcrypt()`, though, is designed to be computationally expensive:
146
+
147
+ Ten thousand iterations:
148
+ user system total real
149
+ md5 0.070000 0.000000 0.070000 ( 0.070415)
150
+ bcrypt 22.230000 0.080000 22.310000 ( 22.493822)
151
+
152
+ If an attacker was using Ruby to check each password, they could check ~140,000 passwords a second with MD5 but only
153
+ ~450 passwords a second with `bcrypt()`.
154
+
155
+ ### Cost Factors
156
+
157
+ In addition, `bcrypt()` allows you to increase the amount of work required to hash a password as computers get faster. Old
158
+ passwords will still work fine, but new passwords can keep up with the times.
159
+
160
+ The default cost factor used by bcrypt-ruby is 12, which is fine for session-based authentication. If you are using a
161
+ stateless authentication architecture (e.g., HTTP Basic Auth), you will want to lower the cost factor to reduce your
162
+ server load and keep your request times down. This will lower the security provided you, but there are few alternatives.
163
+
164
+ To change the default cost factor used by bcrypt-ruby, use `BCrypt::Engine.cost = new_value`:
165
+ ```ruby
166
+ BCrypt::Password.create('secret').cost
167
+ #=> 12, the default provided by bcrypt-ruby
168
+
169
+ # set a new default cost
170
+ BCrypt::Engine.cost = 8
171
+ BCrypt::Password.create('secret').cost
172
+ #=> 8
173
+ ```
174
+ The default cost can be overridden as needed by passing an options hash with a different cost:
175
+
176
+ BCrypt::Password.create('secret', :cost => 6).cost #=> 6
177
+
178
+ ## More Information
179
+
180
+ `bcrypt()` is currently used as the default password storage hash in OpenBSD, widely regarded as the most secure operating
181
+ system available.
182
+
183
+ For a more technical explanation of the algorithm and its design criteria, please read Niels Provos and David Mazières'
184
+ Usenix99 paper:
185
+ https://www.usenix.org/events/usenix99/provos.html
186
+
187
+ If you'd like more down-to-earth advice regarding cryptography, I suggest reading <i>Practical Cryptography</i> by Niels
188
+ Ferguson and Bruce Schneier:
189
+ https://www.schneier.com/book-practical.html
190
+
191
+ # Etc
192
+
193
+ * Author :: Coda Hale <coda.hale@gmail.com>
194
+ * Website :: https://codahale.com
@@ -0,0 +1,70 @@
1
+ require 'rspec/core/rake_task'
2
+ require 'rubygems/package_task'
3
+ require 'rake/extensiontask'
4
+ require 'rake/javaextensiontask'
5
+ require 'rake/clean'
6
+ require 'rdoc/task'
7
+ require 'benchmark'
8
+
9
+ CLEAN.include(
10
+ "tmp",
11
+ "lib/bcrypt_ext.jar",
12
+ "lib/bcrypt_ext.so"
13
+ )
14
+ CLOBBER.include(
15
+ "doc",
16
+ "pkg"
17
+ )
18
+
19
+ GEMSPEC = Gem::Specification.load("bcrypt.gemspec")
20
+
21
+ task :default => [:compile, :spec]
22
+
23
+ desc "Run all specs"
24
+ RSpec::Core::RakeTask.new do |t|
25
+ t.pattern = 'spec/**/*_spec.rb'
26
+ t.ruby_opts = '-w'
27
+ end
28
+
29
+ desc "Run all specs, with coverage testing"
30
+ RSpec::Core::RakeTask.new(:rcov) do |t|
31
+ t.pattern = 'spec/**/*_spec.rb'
32
+ t.rcov = true
33
+ t.rcov_path = 'doc/coverage'
34
+ t.rcov_opts = ['--exclude', 'rspec,diff-lcs,rcov,_spec,_helper']
35
+ end
36
+
37
+ desc 'Generate RDoc'
38
+ RDoc::Task.new do |rdoc|
39
+ rdoc.rdoc_dir = 'doc/rdoc'
40
+ rdoc.options += GEMSPEC.rdoc_options
41
+ rdoc.template = ENV['TEMPLATE'] if ENV['TEMPLATE']
42
+ rdoc.rdoc_files.include(*GEMSPEC.extra_rdoc_files)
43
+ end
44
+
45
+ Gem::PackageTask.new(GEMSPEC) do |pkg|
46
+ pkg.need_zip = true
47
+ pkg.need_tar = true
48
+ end
49
+
50
+ if RUBY_PLATFORM =~ /java/
51
+ Rake::JavaExtensionTask.new('bcrypt_ext', GEMSPEC) do |ext|
52
+ ext.ext_dir = 'ext/jruby'
53
+ end
54
+ else
55
+ Rake::ExtensionTask.new("bcrypt_ext", GEMSPEC) do |ext|
56
+ ext.ext_dir = 'ext/mri'
57
+ end
58
+ end
59
+
60
+ desc "Run a set of benchmarks on the compiled extension."
61
+ task :benchmark do
62
+ TESTS = 100
63
+ TEST_PWD = "this is a test"
64
+ require File.expand_path(File.join(File.dirname(__FILE__), "lib", "bcrypt"))
65
+ Benchmark.bmbm do |results|
66
+ 4.upto(10) do |n|
67
+ results.report("cost #{n}:") { TESTS.times { BCrypt::Password.create(TEST_PWD, :cost => n) } }
68
+ end
69
+ end
70
+ end