bcrypt 3.1.7 → 3.1.20

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
- ---
2
- SHA512:
3
- metadata.gz: e9a27bd4544153b3e73771ddc6ee262227c7c666df2001028f0860b335810b3f01862d30c86c24d893fda4690298016c60f76accd467e95c9c9048945802d7b6
4
- data.tar.gz: 1798cf7b86267393f52b54b31356aa6c54b9ad524d86b97354322b4ae9a032e472cd98fb4cd209ecf2372a7e55556b42173a0c2d16a7467d7cc4b2ef98343636
5
- SHA1:
6
- metadata.gz: d58ac651be05f4747ff8d8258d2fe0920e26f375
7
- data.tar.gz: 8f7b7aad5c4c3f572dd172fac39fcd0de31012c5
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 07e8668c9a825180f04b43722ef89af1148678a0cc400c948694afe111844cfd
4
+ data.tar.gz: 143b36a98ce7e5626817e0e84045cb941a949118bb7b818fc75ae6d7728b0f00
5
+ SHA512:
6
+ metadata.gz: f6a8a4a9c46fbd191fd66bf1010a170db71551ee0cf911ab36e5c8af65a950ac7f6aef956330b9f6de3388b3c43b5d8aaaac933117c51237596a774073fafd7a
7
+ data.tar.gz: 902c20e6358ccf84e3661bd7fa88df7b42388e8bc5b185d4b2170714e8423605a96f91ec5ef779fe86c4bb5bb45f04fbcf8908854d4c420686e13c2290f08345
data/CHANGELOG CHANGED
@@ -1,72 +1,120 @@
1
- 1.0.0 Feb 27 2007
2
- - Initial release.
1
+ 3.1.20 Nov 17 2023
2
+ - Limit packaged files -- decrease gem filesize by ~28% [GH #272 by @pusewicz]
3
3
 
4
- 2.0.0 Mar 07 2007
5
- - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
6
- - Added BCrypt::Password#is_password?.
7
- - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
8
- - Added validation of secrets -- nil is not healthy.
4
+ 3.1.19 June 22 2023
5
+ - Deprecate passing the third argument to `BCrypt::Engine.hash_secret` [GH #207 by @sergey-alekseev]
6
+ - Add GC guards so the C compiler won't optimize out references [GH #270]
9
7
 
10
- 2.0.1 Mar 09 2007
11
- - Fixed load path issues
12
- - Fixed crashes when hashing weird values (e.g., false, etc.)
8
+ 3.1.18 May 16 2022
9
+ - Unlock GVL when calculating hashes and salts [GH #260]
10
+ - Fix compilation warnings in `ext/mri/bcrypt_ext.c` [GH #261]
13
11
 
14
- 2.0.2 Jun 06 2007
15
- - Fixed example code in the README [Winson]
16
- - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
12
+ 3.1.17 Mar 14 2022
13
+ - Fix regex in validators to use \A and \z instead of ^ and $ [GH #121]
14
+ - Truncate secrets greater than 72 bytes in hash_secret [GH #255]
15
+ - Assorted test and doc improvements
17
16
 
18
- 2.0.3 May 07 2008
19
- - Made exception classes descend from StandardError, not Exception [Dan42]
20
- - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
21
- sorting issues. [Lee Pope]
17
+ 3.1.16 Sep 3 2020
18
+ - Fix compilation on FreeBSD. [GH #234]
22
19
 
23
- 2.0.4 Mar 09 2009
24
- - Added Ruby 1.9 compatibility. [Genki Takiuchi]
25
- - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
20
+ 3.1.15 July 21 2020
21
+ - Remove GVL optimization. Apparently it breaks things [GH #230]
26
22
 
27
- 2.0.5 Mar 11 2009
28
- - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
23
+ 3.1.14 July 21 2020
24
+ - Start calibration from the minimum cost supported by the algorithm [GH #206 by @sergey-alekseev]
29
25
 
30
- 2.1.0 Aug 12 2009
31
- - Improved code coverage, unit tests, and build chain. [Hongli Lai]
32
- - Ruby 1.9 compatibility fixes. [Hongli Lai]
33
- - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
34
- - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
26
+ 3.1.13 May 31 2019
27
+ - No longer include compiled binaries for Windows. See GH #173.
28
+ - Update C and Java implementations to latest versions [GH #182 by @fonica]
29
+ - Bump default cost to 12 [GH #181 by @bdewater]
30
+ - Remove explicit support for Rubies 1.8 and 1.9
31
+ - Define SKIP_GNU token when building extension (Fixes FreeBSD >= 12) [GH #189 by @adam12]
35
32
 
36
- 2.1.1 Aug 14 2009
37
- - JVM 1.4/1.5 compatibility [Hongli Lai]
33
+ 3.1.12 May 16 2018
34
+ - Add support for Ruby 2.3, 2.4, and 2.5 in compiled Windows binaries
35
+ - Fix compatibility with libxcrypt - Fixes hash errors in Fedora 28 and Ubuntu 20 [GH #164 by @besser82]
38
36
 
39
- 2.1.2 Sep 16 2009
40
- - Fixed support for Solaris, OpenSolaris.
37
+ 3.1.11 Mar 06 2016
38
+ - Add support for Ruby 2.2 in compiled Windows binaries
41
39
 
42
- 3.0.0 Aug 24 2011
43
- - Bcrypt C implementation replaced with a public domain implementation.
44
- - License changed to MIT
40
+ 3.1.10 Jan 28 2015
41
+ - Fix issue with dumping a BCrypt::Password instance to YAML in Ruby 2.2 [GH #107 by @mattwildig]
45
42
 
46
- 3.0.1 Sep 12 2011
47
- - create raises an exception if the cost is higher than 31. GH #27
43
+ 3.1.9 Oct 23 2014
44
+ - Rebuild corrupt binaries
45
+
46
+ 3.1.8 Oct 23 2014
47
+ - Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
48
+
49
+ 3.1.7 Feb 24 2014
50
+ - Rebuild corrupt Java binary version of gem [GH #90]
51
+ - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
52
+
53
+ 3.1.6 Feb 21 2014
54
+ - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
55
+ bugs. It felt wrong to have that at a higher version than the real gem, so
56
+ the real gem is getting bumped to 3.1.6.
57
+
58
+ 3.1.3 Feb 21 2014
59
+ - Add support for Ruby 2.1 in compiled Windows binaries
60
+ - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
61
+
62
+ 3.1.2 Aug 26 2013
63
+ - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
64
+ - Add support for 64-bit Windows
65
+
66
+ 3.1.1 Jul 10 2013
67
+ - Remove support for Ruby 1.8 in compiled win32 binaries
48
68
 
49
69
  3.1.0 May 07 2013
50
70
  - Add BCrypt::Password.valid_hash?(str) to check if a string is a valid bcrypt password hash
51
71
  - BCrypt::Password cost should be set to DEFAULT_COST if nil
52
72
  - Add BCrypt::Engine.cost attribute for getting/setting a default cost externally
53
73
 
54
- 3.1.1 Jul 10 2013
55
- - Remove support for Ruby 1.8 in compiled win32 binaries
74
+ 3.0.1 Sep 12 2011
75
+ - create raises an exception if the cost is higher than 31. GH #27
56
76
 
57
- 3.1.2 Aug 26 2013
58
- - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
59
- - Add support for 64-bit Windows
77
+ 3.0.0 Aug 24 2011
78
+ - Bcrypt C implementation replaced with a public domain implementation.
79
+ - License changed to MIT
60
80
 
61
- 3.1.3 Feb 21 2014
62
- - Add support for Ruby 2.1 in compiled Windows binaries
63
- - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
81
+ 2.1.2 Sep 16 2009
82
+ - Fixed support for Solaris, OpenSolaris.
64
83
 
65
- 3.1.6 Feb 21 2014
66
- - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
67
- bugs. It felt wrong to have that at a higher version than the real gem, so
68
- the real gem is getting bumped to 3.1.6.
84
+ 2.1.1 Aug 14 2009
85
+ - JVM 1.4/1.5 compatibility [Hongli Lai]
69
86
 
70
- 3.1.7 Feb 24 2014
71
- - Rebuild corrupt Java binary version of gem [GH #90]
72
- - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
87
+ 2.1.0 Aug 12 2009
88
+ - Improved code coverage, unit tests, and build chain. [Hongli Lai]
89
+ - Ruby 1.9 compatibility fixes. [Hongli Lai]
90
+ - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
91
+ - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
92
+
93
+ 2.0.5 Mar 11 2009
94
+ - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
95
+
96
+ 2.0.4 Mar 09 2009
97
+ - Added Ruby 1.9 compatibility. [Genki Takiuchi]
98
+ - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
99
+
100
+ 2.0.3 May 07 2008
101
+ - Made exception classes descend from StandardError, not Exception [Dan42]
102
+ - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
103
+ sorting issues. [Lee Pope]
104
+
105
+ 2.0.2 Jun 06 2007
106
+ - Fixed example code in the README [Winson]
107
+ - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
108
+
109
+ 2.0.1 Mar 09 2007
110
+ - Fixed load path issues
111
+ - Fixed crashes when hashing weird values (e.g., false, etc.)
112
+
113
+ 2.0.0 Mar 07 2007
114
+ - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
115
+ - Added BCrypt::Password#is_password?.
116
+ - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
117
+ - Added validation of secrets -- nil is not healthy.
118
+
119
+ 1.0.0 Feb 27 2007
120
+ - Initial release.
data/README.md CHANGED
@@ -2,9 +2,9 @@
2
2
 
3
3
  An easy way to keep your users' passwords secure.
4
4
 
5
- * http://github.com/codahale/bcrypt-ruby/tree/master
5
+ * https://github.com/bcrypt-ruby/bcrypt-ruby/tree/master
6
6
 
7
- [![Build Status](https://travis-ci.org/codahale/bcrypt-ruby.png?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
7
+ [![Github Actions Build Status](https://github.com/bcrypt-ruby/bcrypt-ruby/actions/workflows/ruby.yml/badge.svg?branch=master)](https://github.com/bcrypt-ruby/bcrypt-ruby/actions/workflows/ruby.yml)
8
8
 
9
9
  ## Why you should use `bcrypt()`
10
10
 
@@ -18,7 +18,7 @@ security experts is not a professional response to risk.
18
18
  `bcrypt()` allows you to easily harden your application against these kinds of attacks.
19
19
 
20
20
  *Note*: JRuby versions of the bcrypt gem `<= 2.1.3` had a [security
21
- vulnerability](http://www.mindrot.org/files/jBCrypt/internat.adv) that
21
+ vulnerability](https://www.mindrot.org/files/jBCrypt/internat.adv) that
22
22
  was fixed in `>= 2.1.4`. If you used a vulnerable version to hash
23
23
  passwords with international characters in them, you will need to
24
24
  re-hash those passwords. This vulnerability only affected the JRuby gem.
@@ -27,82 +27,71 @@ re-hash those passwords. This vulnerability only affected the JRuby gem.
27
27
 
28
28
  gem install bcrypt
29
29
 
30
- The bcrypt gem is available on the following ruby platforms:
30
+ The bcrypt gem is available on the following Ruby platforms:
31
31
 
32
32
  * JRuby
33
- * RubyInstaller 1.8, 1.9, and 2.0 builds on win32
34
- * Any 1.8, 1.9, 2.0, or 2.1 ruby on a BSD/OSX/Linux system with a compiler
33
+ * RubyInstaller 2.0 3.0 builds on Windows with the DevKit
34
+ * Any 2.0 3.0 Ruby on a BSD/OS X/Linux system with a compiler
35
35
 
36
36
  ## How to use `bcrypt()` in your Rails application
37
37
 
38
38
  *Note*: Rails versions >= 3 ship with `ActiveModel::SecurePassword` which uses bcrypt-ruby.
39
- `has_secure_password` [docs](http://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
39
+ `has_secure_password` [docs](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
40
40
  implements a similar authentication strategy to the code below.
41
41
 
42
42
  ### The _User_ model
43
-
44
- require 'bcrypt'
45
-
46
- class User < ActiveRecord::Base
47
- # users.password_hash in the database is a :string
48
- include BCrypt
49
-
50
- def password
51
- @password ||= Password.new(password_hash)
52
- end
53
-
54
- def password=(new_password)
55
- @password = Password.create(new_password)
56
- self.password_hash = @password
57
- end
58
- end
59
-
43
+ ```ruby
44
+ require 'bcrypt'
45
+
46
+ class User < ActiveRecord::Base
47
+ # users.password_hash in the database is a :string
48
+ include BCrypt
49
+
50
+ def password
51
+ @password ||= Password.new(password_hash)
52
+ end
53
+
54
+ def password=(new_password)
55
+ @password = Password.create(new_password)
56
+ self.password_hash = @password
57
+ end
58
+ end
59
+ ```
60
60
  ### Creating an account
61
-
62
- def create
63
- @user = User.new(params[:user])
64
- @user.password = params[:password]
65
- @user.save!
66
- end
67
-
61
+ ```ruby
62
+ def create
63
+ @user = User.new(params[:user])
64
+ @user.password = params[:password]
65
+ @user.save!
66
+ end
67
+ ```
68
68
  ### Authenticating a user
69
-
70
- def login
71
- @user = User.find_by_email(params[:email])
72
- if @user.password == params[:password]
73
- give_token
74
- else
75
- redirect_to home_url
76
- end
77
- end
78
-
79
- ### If a user forgets their password?
80
-
81
- # assign them a random one and mail it to them, asking them to change it
82
- def forgot_password
83
- @user = User.find_by_email(params[:email])
84
- random_password = Array.new(10).map { (65 + rand(58)).chr }.join
85
- @user.password = random_password
86
- @user.save!
87
- Mailer.create_and_deliver_password_change(@user, random_password)
88
- end
89
-
69
+ ```ruby
70
+ def login
71
+ @user = User.find_by_email(params[:email])
72
+ if @user.password == params[:password]
73
+ give_token
74
+ else
75
+ redirect_to home_url
76
+ end
77
+ end
78
+ ```
90
79
  ## How to use bcrypt-ruby in general
80
+ ```ruby
81
+ require 'bcrypt'
91
82
 
92
- require 'bcrypt'
93
-
94
- my_password = BCrypt::Password.create("my password")
95
- #=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"
96
-
97
- my_password.version #=> "2a"
98
- my_password.cost #=> 10
99
- my_password == "my password" #=> true
100
- my_password == "not my password" #=> false
83
+ my_password = BCrypt::Password.create("my password")
84
+ #=> "$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey"
101
85
 
102
- my_password = BCrypt::Password.new("$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa")
103
- my_password == "my password" #=> true
104
- my_password == "not my password" #=> false
86
+ my_password.version #=> "2a"
87
+ my_password.cost #=> 12
88
+ my_password == "my password" #=> true
89
+ my_password == "not my password" #=> false
105
90
 
91
+ my_password = BCrypt::Password.new("$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey")
92
+ my_password == "my password" #=> true
93
+ my_password == "not my password" #=> false
94
+ ```
106
95
  Check the rdocs for more details -- BCrypt, BCrypt::Password.
107
96
 
108
97
  ## How `bcrypt()` works
@@ -166,20 +155,20 @@ If an attacker was using Ruby to check each password, they could check ~140,000
166
155
  In addition, `bcrypt()` allows you to increase the amount of work required to hash a password as computers get faster. Old
167
156
  passwords will still work fine, but new passwords can keep up with the times.
168
157
 
169
- The default cost factor used by bcrypt-ruby is 10, which is fine for session-based authentication. If you are using a
158
+ The default cost factor used by bcrypt-ruby is 12, which is fine for session-based authentication. If you are using a
170
159
  stateless authentication architecture (e.g., HTTP Basic Auth), you will want to lower the cost factor to reduce your
171
160
  server load and keep your request times down. This will lower the security provided you, but there are few alternatives.
172
161
 
173
162
  To change the default cost factor used by bcrypt-ruby, use `BCrypt::Engine.cost = new_value`:
174
-
175
- BCrypt::Password.create('secret').cost
176
- #=> 10, the default provided by bcrypt-ruby
177
-
178
- # set a new default cost
179
- BCrypt::Engine.cost = 8
180
- BCrypt::Password.create('secret').cost
181
- #=> 8
182
-
163
+ ```ruby
164
+ BCrypt::Password.create('secret').cost
165
+ #=> 12, the default provided by bcrypt-ruby
166
+
167
+ # set a new default cost
168
+ BCrypt::Engine.cost = 8
169
+ BCrypt::Password.create('secret').cost
170
+ #=> 8
171
+ ```
183
172
  The default cost can be overridden as needed by passing an options hash with a different cost:
184
173
 
185
174
  BCrypt::Password.create('secret', :cost => 6).cost #=> 6
@@ -191,13 +180,13 @@ system available.
191
180
 
192
181
  For a more technical explanation of the algorithm and its design criteria, please read Niels Provos and David Mazières'
193
182
  Usenix99 paper:
194
- http://www.usenix.org/events/usenix99/provos.html
183
+ https://www.usenix.org/events/usenix99/provos.html
195
184
 
196
185
  If you'd like more down-to-earth advice regarding cryptography, I suggest reading <i>Practical Cryptography</i> by Niels
197
186
  Ferguson and Bruce Schneier:
198
- http://www.schneier.com/book-practical.html
187
+ https://www.schneier.com/book-practical.html
199
188
 
200
189
  # Etc
201
190
 
202
191
  * Author :: Coda Hale <coda.hale@gmail.com>
203
- * Website :: http://blog.codahale.com
192
+ * Website :: https://codahale.com