bcrypt 3.1.20 → 3.1.22

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 07e8668c9a825180f04b43722ef89af1148678a0cc400c948694afe111844cfd
-  data.tar.gz: 143b36a98ce7e5626817e0e84045cb941a949118bb7b818fc75ae6d7728b0f00
+  metadata.gz: 521c5039d4a683bdf17faa98c3fddc47318f415597bd7575615c1f309ba65a4d
+  data.tar.gz: 9abdb8766bcfdc8cfeacbe41eb66fd0a8436ad5b1e9ff67b18239019387be3a1
 SHA512:
-  metadata.gz: f6a8a4a9c46fbd191fd66bf1010a170db71551ee0cf911ab36e5c8af65a950ac7f6aef956330b9f6de3388b3c43b5d8aaaac933117c51237596a774073fafd7a
-  data.tar.gz: 902c20e6358ccf84e3661bd7fa88df7b42388e8bc5b185d4b2170714e8423605a96f91ec5ef779fe86c4bb5bb45f04fbcf8908854d4c420686e13c2290f08345
+  metadata.gz: 6ce98e4f36915b8fb3dc2cc5a0dadb7624914bbfabd8d5e804ac1c945c8fe23794c1a3652841634766c5fe8876cd06ccb04b737c84f54e6b4bca82701d529c07
+  data.tar.gz: 9a2eddcb94fa016dfae3e46901df0cd5f9afd30c63789eb4682cf9fc7b55cc3348e1822663a4c4cff9f277d26a6f907ba139d2578fb1510b58559ee76d58d2ce

data/CHANGELOG

@@ -1,3 +1,10 @@
+3.1.22 Mar 18 2026
+  - [CVE-2026-33306] Fix integer overflow in Java extension
+
+3.1.21 Dec 31 2025
+  - Use constant time comparisons
+  - Mark as Ractor safe
+
 3.1.20 Nov 17 2023
   - Limit packaged files -- decrease gem filesize by ~28% [GH #272 by @pusewicz]
 

data/README.md

@@ -30,8 +30,8 @@ re-hash those passwords. This vulnerability only affected the JRuby gem.
 The bcrypt gem is available on the following Ruby platforms:
 
 * JRuby
-* RubyInstaller 2.0 – 3.0 builds on Windows with the DevKit
-* Any 2.0 – 3.0 Ruby on a BSD/OS X/Linux system with a compiler
+* RubyInstaller builds on Windows with the DevKit
+* Any modern Ruby on a BSD/OS X/Linux system with a compiler
 
 ## How to use `bcrypt()` in your Rails application
 

data/ext/jruby/bcrypt_jruby/BCrypt.java

@@ -688,20 +688,21 @@ public class BCrypt {
 	 */
 	private byte[] crypt_raw(byte password[], byte salt[], int log_rounds,
 							boolean sign_ext_bug, int safety) {
-		int rounds, i, j;
+		long rounds;
+		int i, j;
 		int cdata[] =  bf_crypt_ciphertext.clone();
 		int clen = cdata.length;
 		byte ret[];
 
 		if (log_rounds < 4 || log_rounds > 31)
 			throw new IllegalArgumentException ("Bad number of rounds");
-		rounds = 1 << log_rounds;
+		rounds = roundsForLogRounds(log_rounds);
 		if (salt.length != BCRYPT_SALT_LEN)
 			throw new IllegalArgumentException ("Bad salt length");
 
 		init_key();
 		ekskey(salt, password, sign_ext_bug, safety);
-		for (i = 0; i < rounds; i++) {
+		for (long r = 0; r < rounds; r++) {
 			key(password, sign_ext_bug, safety);
 			key(salt, false, safety);
 		}

data/ext/mri/bcrypt_ext.c

@@ -111,6 +111,10 @@ static VALUE bc_crypt(VALUE self, VALUE key, VALUE setting) {
 
 /* Create the BCrypt and BCrypt::Engine modules, and populate them with methods. */
 void Init_bcrypt_ext(){
+#ifdef HAVE_RB_EXT_RACTOR_SAFE
+    rb_ext_ractor_safe(true);
+#endif
+    
     mBCrypt = rb_define_module("BCrypt");
     cBCryptEngine = rb_define_class_under(mBCrypt, "Engine", rb_cObject);
 

data/lib/bcrypt/password.rb

@@ -73,8 +73,17 @@ module BCrypt
     #    @password == @password.to_s      # => False
     #    @password.to_s == @password      # => True
     #    @password.to_s == @password.to_s # => True
+    #
+    #    secret == @password              # => probably False, because the secret is not a BCrypt::Password instance.
     def ==(secret)
-      super(BCrypt::Engine.hash_secret(secret, @salt))
+      hash = BCrypt::Engine.hash_secret(secret, @salt)
+
+      return false if hash.strip.empty? || strip.empty? || hash.bytesize != bytesize
+
+      # Constant time comparison so they can't tell the length.
+      res = 0
+      bytesize.times { |i| res |= getbyte(i) ^ hash.getbyte(i) }
+      res == 0
     end
     alias_method :is_password?, :==
 

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bcrypt
 version: !ruby/object:Gem::Version
-  version: 3.1.20
+  version: 3.1.22
 platform: ruby
 authors:
 - Coda Hale
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-17 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake-compiler
@@ -38,6 +37,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '3'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.3
+- !ruby/object:Gem::Dependency
+  name: benchmark
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.5.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.5.0
 description: |2
       bcrypt() is a sophisticated and secure hash algorithm designed by The OpenBSD project
       for hashing passwords. The bcrypt Ruby gem provides a simple wrapper for safely handling
@@ -47,13 +74,13 @@ executables: []
 extensions:
 - ext/mri/extconf.rb
 extra_rdoc_files:
-- README.md
-- COPYING
 - CHANGELOG
+- COPYING
+- README.md
+- lib/bcrypt.rb
 - lib/bcrypt/engine.rb
 - lib/bcrypt/error.rb
 - lib/bcrypt/password.rb
-- lib/bcrypt.rb
 files:
 - CHANGELOG
 - COPYING
@@ -77,8 +104,8 @@ files:
 homepage: https://github.com/bcrypt-ruby/bcrypt-ruby
 licenses:
 - MIT
-metadata: {}
-post_install_message:
+metadata:
+  changelog_uri: https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/CHANGELOG
 rdoc_options:
 - "--title"
 - bcrypt-ruby
@@ -99,8 +126,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 4.0.6
 specification_version: 4
 summary: OpenBSD's bcrypt() password hashing algorithm.
 test_files: []