bcrypt 3.1.20-java → 3.1.22-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +7 -0
  3. data/README.md +2 -2
  4. data/ext/jruby/bcrypt_jruby/BCrypt.java +4 -3
  5. data/ext/mri/bcrypt_ext.c +4 -0
  6. data/lib/bcrypt/password.rb +10 -1
  7. data/lib/bcrypt_ext.jar +0 -0
  8. metadata +37 -11
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 18e51a94af441c07a71cba0f9d5c8e813ed65b0206e6d143784215d43404be78
4
- data.tar.gz: 0f593432119c2166fb96c65786b3bf119d42ecc35d7de1322b7700c81679e3b5
3
+ metadata.gz: e5e50341afcc655da1321fed6959d18d14645c674439fa3147aa963a2418d371
4
+ data.tar.gz: 7da8971cd67bac35a00cfc8b00224ab1a94d3fc47c7641d72e67c4886aaccb3d
5
5
  SHA512:
6
- metadata.gz: 92e7ac49940ed3c1ac8929da228dc90e48ef9ec12819fe9a83102211f7695c47ad9dd6e7aeb333b6499308556995405c9b7a7fd1b70eb0b12231d070f111f2d3
7
- data.tar.gz: bdbfa55d1c5e8c111b31f3c2bd0d90f4408799af5afcca5d53f2c47604033f991238948905f95f91f16a2f08d315283ceda37ea770cbe612d98170771da24394
6
+ metadata.gz: 0c453b1b641b543b95a64ccea3ac0f73fcb73c90dafee7cb6594e451df02e994b253e965f249b9ba09971237c5750a61ea4da9fd66c3ed4304eb942c50f0bfa5
7
+ data.tar.gz: 5c795f4a0b8d92ad537b08d0131fa682cd4e6e561e3bb1b09e7b112e0579b21c5a0a18475f0c8720be84a79a11d9b620732e559d2312f00336e0e9e367b0865d
data/CHANGELOG CHANGED
@@ -1,3 +1,10 @@
1
+ 3.1.22 Mar 18 2026
2
+ - [CVE-2026-33306] Fix integer overflow in Java extension
3
+
4
+ 3.1.21 Dec 31 2025
5
+ - Use constant time comparisons
6
+ - Mark as Ractor safe
7
+
1
8
  3.1.20 Nov 17 2023
2
9
  - Limit packaged files -- decrease gem filesize by ~28% [GH #272 by @pusewicz]
3
10
 
data/README.md CHANGED
@@ -30,8 +30,8 @@ re-hash those passwords. This vulnerability only affected the JRuby gem.
30
30
  The bcrypt gem is available on the following Ruby platforms:
31
31
 
32
32
  * JRuby
33
- * RubyInstaller 2.0 – 3.0 builds on Windows with the DevKit
34
- * Any 2.0 – 3.0 Ruby on a BSD/OS X/Linux system with a compiler
33
+ * RubyInstaller builds on Windows with the DevKit
34
+ * Any modern Ruby on a BSD/OS X/Linux system with a compiler
35
35
 
36
36
  ## How to use `bcrypt()` in your Rails application
37
37
 
data/ext/jruby/bcrypt_jruby/BCrypt.java CHANGED
@@ -688,20 +688,21 @@ public class BCrypt {
688
688
  */
689
689
  private byte[] crypt_raw(byte password[], byte salt[], int log_rounds,
690
690
  boolean sign_ext_bug, int safety) {
691
- int rounds, i, j;
691
+ long rounds;
692
+ int i, j;
692
693
  int cdata[] = bf_crypt_ciphertext.clone();
693
694
  int clen = cdata.length;
694
695
  byte ret[];
695
696
 
696
697
  if (log_rounds < 4 || log_rounds > 31)
697
698
  throw new IllegalArgumentException ("Bad number of rounds");
698
- rounds = 1 << log_rounds;
699
+ rounds = roundsForLogRounds(log_rounds);
699
700
  if (salt.length != BCRYPT_SALT_LEN)
700
701
  throw new IllegalArgumentException ("Bad salt length");
701
702
 
702
703
  init_key();
703
704
  ekskey(salt, password, sign_ext_bug, safety);
704
- for (i = 0; i < rounds; i++) {
705
+ for (long r = 0; r < rounds; r++) {
705
706
  key(password, sign_ext_bug, safety);
706
707
  key(salt, false, safety);
707
708
  }
data/ext/mri/bcrypt_ext.c CHANGED
@@ -111,6 +111,10 @@ static VALUE bc_crypt(VALUE self, VALUE key, VALUE setting) {
111
111
 
112
112
  /* Create the BCrypt and BCrypt::Engine modules, and populate them with methods. */
113
113
  void Init_bcrypt_ext(){
114
+ #ifdef HAVE_RB_EXT_RACTOR_SAFE
115
+ rb_ext_ractor_safe(true);
116
+ #endif
117
+
114
118
  mBCrypt = rb_define_module("BCrypt");
115
119
  cBCryptEngine = rb_define_class_under(mBCrypt, "Engine", rb_cObject);
116
120
 
data/lib/bcrypt/password.rb CHANGED
@@ -73,8 +73,17 @@ module BCrypt
73
73
  # @password == @password.to_s # => False
74
74
  # @password.to_s == @password # => True
75
75
  # @password.to_s == @password.to_s # => True
76
+ #
77
+ # secret == @password # => probably False, because the secret is not a BCrypt::Password instance.
76
78
  def ==(secret)
77
- super(BCrypt::Engine.hash_secret(secret, @salt))
79
+ hash = BCrypt::Engine.hash_secret(secret, @salt)
80
+
81
+ return false if hash.strip.empty? || strip.empty? || hash.bytesize != bytesize
82
+
83
+ # Constant time comparison so they can't tell the length.
84
+ res = 0
85
+ bytesize.times { |i| res |= getbyte(i) ^ hash.getbyte(i) }
86
+ res == 0
78
87
  end
79
88
  alias_method :is_password?, :==
80
89
 
data/lib/bcrypt_ext.jar CHANGED
Binary file
metadata CHANGED
@@ -1,22 +1,21 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bcrypt
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.20
4
+ version: 3.1.22
5
5
  platform: java
6
6
  authors:
7
7
  - Coda Hale
8
- autorequire:
9
8
  bindir: bin
10
9
  cert_chain: []
11
- date: 2023-11-17 00:00:00.000000000 Z
10
+ date: 1980-01-02 00:00:00.000000000 Z
12
11
  dependencies:
13
12
  - !ruby/object:Gem::Dependency
13
+ name: rake-compiler
14
14
  requirement: !ruby/object:Gem::Requirement
15
15
  requirements:
16
16
  - - "~>"
17
17
  - !ruby/object:Gem::Version
18
18
  version: 1.2.0
19
- name: rake-compiler
20
19
  type: :development
21
20
  prerelease: false
22
21
  version_requirements: !ruby/object:Gem::Requirement
@@ -25,12 +24,12 @@ dependencies:
25
24
  - !ruby/object:Gem::Version
26
25
  version: 1.2.0
27
26
  - !ruby/object:Gem::Dependency
27
+ name: rspec
28
28
  requirement: !ruby/object:Gem::Requirement
29
29
  requirements:
30
30
  - - ">="
31
31
  - !ruby/object:Gem::Version
32
32
  version: '3'
33
- name: rspec
34
33
  type: :development
35
34
  prerelease: false
36
35
  version_requirements: !ruby/object:Gem::Requirement
@@ -38,6 +37,34 @@ dependencies:
38
37
  - - ">="
39
38
  - !ruby/object:Gem::Version
40
39
  version: '3'
40
+ - !ruby/object:Gem::Dependency
41
+ name: rdoc
42
+ requirement: !ruby/object:Gem::Requirement
43
+ requirements:
44
+ - - ">="
45
+ - !ruby/object:Gem::Version
46
+ version: 7.0.3
47
+ type: :development
48
+ prerelease: false
49
+ version_requirements: !ruby/object:Gem::Requirement
50
+ requirements:
51
+ - - ">="
52
+ - !ruby/object:Gem::Version
53
+ version: 7.0.3
54
+ - !ruby/object:Gem::Dependency
55
+ name: benchmark
56
+ requirement: !ruby/object:Gem::Requirement
57
+ requirements:
58
+ - - ">="
59
+ - !ruby/object:Gem::Version
60
+ version: 0.5.0
61
+ type: :development
62
+ prerelease: false
63
+ version_requirements: !ruby/object:Gem::Requirement
64
+ requirements:
65
+ - - ">="
66
+ - !ruby/object:Gem::Version
67
+ version: 0.5.0
41
68
  description: |2
42
69
  bcrypt() is a sophisticated and secure hash algorithm designed by The OpenBSD project
43
70
  for hashing passwords. The bcrypt Ruby gem provides a simple wrapper for safely handling
@@ -46,9 +73,9 @@ email: coda.hale@gmail.com
46
73
  executables: []
47
74
  extensions: []
48
75
  extra_rdoc_files:
49
- - README.md
50
- - COPYING
51
76
  - CHANGELOG
77
+ - COPYING
78
+ - README.md
52
79
  - lib/bcrypt.rb
53
80
  - lib/bcrypt/engine.rb
54
81
  - lib/bcrypt/error.rb
@@ -77,8 +104,8 @@ files:
77
104
  homepage: https://github.com/bcrypt-ruby/bcrypt-ruby
78
105
  licenses:
79
106
  - MIT
80
- metadata: {}
81
- post_install_message:
107
+ metadata:
108
+ changelog_uri: https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/CHANGELOG
82
109
  rdoc_options:
83
110
  - "--title"
84
111
  - bcrypt-ruby
@@ -99,8 +126,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
99
126
  - !ruby/object:Gem::Version
100
127
  version: '0'
101
128
  requirements: []
102
- rubygems_version: 3.3.26
103
- signing_key:
129
+ rubygems_version: 3.7.2
104
130
  specification_version: 4
105
131
  summary: OpenBSD's bcrypt() password hashing algorithm.
106
132
  test_files: []