bcrypt 3.1.7 → 3.1.20

checksums.yaml

@@ -1,7 +1,7 @@
---- 
-SHA512: 
-  metadata.gz: e9a27bd4544153b3e73771ddc6ee262227c7c666df2001028f0860b335810b3f01862d30c86c24d893fda4690298016c60f76accd467e95c9c9048945802d7b6
-  data.tar.gz: 1798cf7b86267393f52b54b31356aa6c54b9ad524d86b97354322b4ae9a032e472cd98fb4cd209ecf2372a7e55556b42173a0c2d16a7467d7cc4b2ef98343636
-SHA1: 
-  metadata.gz: d58ac651be05f4747ff8d8258d2fe0920e26f375
-  data.tar.gz: 8f7b7aad5c4c3f572dd172fac39fcd0de31012c5
+---
+SHA256:
+  metadata.gz: 07e8668c9a825180f04b43722ef89af1148678a0cc400c948694afe111844cfd
+  data.tar.gz: 143b36a98ce7e5626817e0e84045cb941a949118bb7b818fc75ae6d7728b0f00
+SHA512:
+  metadata.gz: f6a8a4a9c46fbd191fd66bf1010a170db71551ee0cf911ab36e5c8af65a950ac7f6aef956330b9f6de3388b3c43b5d8aaaac933117c51237596a774073fafd7a
+  data.tar.gz: 902c20e6358ccf84e3661bd7fa88df7b42388e8bc5b185d4b2170714e8423605a96f91ec5ef779fe86c4bb5bb45f04fbcf8908854d4c420686e13c2290f08345

data/CHANGELOG

@@ -1,72 +1,120 @@
-1.0.0  Feb 27 2007
- - Initial release.
+3.1.20 Nov 17 2023
+  - Limit packaged files -- decrease gem filesize by ~28% [GH #272 by @pusewicz]
 
-2.0.0  Mar 07 2007
- - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
- - Added BCrypt::Password#is_password?.
- - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
- - Added validation of secrets -- nil is not healthy.
+3.1.19 June 22 2023
+  - Deprecate passing the third argument to `BCrypt::Engine.hash_secret` [GH #207 by @sergey-alekseev]
+  - Add GC guards so the C compiler won't optimize out references [GH #270]
 
-2.0.1  Mar 09 2007
- - Fixed load path issues
- - Fixed crashes when hashing weird values (e.g., false, etc.)
+3.1.18 May 16 2022
+  - Unlock GVL when calculating hashes and salts [GH #260]
+  - Fix compilation warnings in `ext/mri/bcrypt_ext.c` [GH #261]
 
-2.0.2  Jun 06 2007
- - Fixed example code in the README [Winson]
- - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
+3.1.17 Mar 14 2022
+- Fix regex in validators to use \A and \z instead of ^ and $ [GH #121]
+- Truncate secrets greater than 72 bytes in hash_secret [GH #255]
+- Assorted test and doc improvements
 
-2.0.3  May 07 2008
- - Made exception classes descend from StandardError, not Exception [Dan42]
- - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
-   sorting issues. [Lee Pope]
+3.1.16 Sep 3 2020
+  - Fix compilation on FreeBSD. [GH #234]
 
-2.0.4  Mar 09 2009
-  - Added Ruby 1.9 compatibility. [Genki Takiuchi]
-  - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
+3.1.15 July 21 2020
+  - Remove GVL optimization.  Apparently it breaks things [GH #230]
 
-2.0.5  Mar 11 2009
-  - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
+3.1.14 July 21 2020
+  - Start calibration from the minimum cost supported by the algorithm [GH #206 by @sergey-alekseev]
 
-2.1.0  Aug 12 2009
-  - Improved code coverage, unit tests, and build chain. [Hongli Lai]
-  - Ruby 1.9 compatibility fixes. [Hongli Lai]
-  - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
-  - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
+3.1.13 May 31 2019
+  - No longer include compiled binaries for Windows. See GH #173.
+  - Update C and Java implementations to latest versions [GH #182 by @fonica]
+  - Bump default cost to 12 [GH #181 by @bdewater]
+  - Remove explicit support for Rubies 1.8 and 1.9
+  - Define SKIP_GNU token when building extension (Fixes FreeBSD >= 12) [GH #189 by @adam12]
 
-2.1.1  Aug 14 2009
-  - JVM 1.4/1.5 compatibility [Hongli Lai]
+3.1.12 May 16 2018
+  - Add support for Ruby 2.3, 2.4, and 2.5 in compiled Windows binaries
+  - Fix compatibility with libxcrypt - Fixes hash errors in Fedora 28 and Ubuntu 20 [GH #164 by @besser82]
 
-2.1.2  Sep 16 2009
-  - Fixed support for Solaris, OpenSolaris.
+3.1.11 Mar 06 2016
+  - Add support for Ruby 2.2 in compiled Windows binaries
 
-3.0.0  Aug 24 2011
-  - Bcrypt C implementation replaced with a public domain implementation.
-  - License changed to MIT
+3.1.10 Jan 28 2015
+  - Fix issue with dumping a BCrypt::Password instance to YAML in Ruby 2.2 [GH #107 by @mattwildig]
 
-3.0.1  Sep 12 2011
-  - create raises an exception if the cost is higher than 31. GH #27
+3.1.9  Oct 23 2014
+  - Rebuild corrupt binaries
+
+3.1.8  Oct 23 2014
+  - Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
+
+3.1.7  Feb 24 2014
+  - Rebuild corrupt Java binary version of gem [GH #90]
+  - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
+
+3.1.6  Feb 21 2014
+  - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
+    bugs. It felt wrong to have that at a higher version than the real gem, so
+    the real gem is getting bumped to 3.1.6.
+
+3.1.3  Feb 21 2014
+  - Add support for Ruby 2.1 in compiled Windows binaries
+  - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
+
+3.1.2  Aug 26 2013
+  - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
+  - Add support for 64-bit Windows
+
+3.1.1  Jul 10 2013
+  - Remove support for Ruby 1.8 in compiled win32 binaries
 
 3.1.0  May 07 2013
   - Add BCrypt::Password.valid_hash?(str) to check if a string is a valid bcrypt password hash
   - BCrypt::Password cost should be set to DEFAULT_COST if nil
   - Add BCrypt::Engine.cost attribute for getting/setting a default cost externally
 
-3.1.1  Jul 10 2013
-  - Remove support for Ruby 1.8 in compiled win32 binaries
+3.0.1  Sep 12 2011
+  - create raises an exception if the cost is higher than 31. GH #27
 
-3.1.2  Aug 26 2013
-  - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
-  - Add support for 64-bit Windows
+3.0.0  Aug 24 2011
+  - Bcrypt C implementation replaced with a public domain implementation.
+  - License changed to MIT
 
-3.1.3  Feb 21 2014
-  - Add support for Ruby 2.1 in compiled Windows binaries
-  - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
+2.1.2  Sep 16 2009
+  - Fixed support for Solaris, OpenSolaris.
 
-3.1.6  Feb 21 2014
-  - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
-    bugs. It felt wrong to have that at a higher version than the real gem, so
-    the real gem is getting bumped to 3.1.6.
+2.1.1  Aug 14 2009
+  - JVM 1.4/1.5 compatibility [Hongli Lai]
 
-3.1.7  Feb 24 2014
-  - Rebuild corrupt Java binary version of gem [GH #90]
-  - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
+2.1.0  Aug 12 2009
+  - Improved code coverage, unit tests, and build chain. [Hongli Lai]
+  - Ruby 1.9 compatibility fixes. [Hongli Lai]
+  - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
+  - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
+
+2.0.5  Mar 11 2009
+  - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
+
+2.0.4  Mar 09 2009
+  - Added Ruby 1.9 compatibility. [Genki Takiuchi]
+  - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
+
+2.0.3  May 07 2008
+ - Made exception classes descend from StandardError, not Exception [Dan42]
+ - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
+   sorting issues. [Lee Pope]
+
+2.0.2  Jun 06 2007
+ - Fixed example code in the README [Winson]
+ - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
+
+2.0.1  Mar 09 2007
+ - Fixed load path issues
+ - Fixed crashes when hashing weird values (e.g., false, etc.)
+
+2.0.0  Mar 07 2007
+ - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
+ - Added BCrypt::Password#is_password?.
+ - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
+ - Added validation of secrets -- nil is not healthy.
+
+1.0.0  Feb 27 2007
+ - Initial release.

data/README.md

@@ -2,9 +2,9 @@
 
 An easy way to keep your users' passwords secure.
 
-* http://github.com/codahale/bcrypt-ruby/tree/master
+* https://github.com/bcrypt-ruby/bcrypt-ruby/tree/master
 
-[![Build Status](https://travis-ci.org/codahale/bcrypt-ruby.png?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
+[![Github Actions Build Status](https://github.com/bcrypt-ruby/bcrypt-ruby/actions/workflows/ruby.yml/badge.svg?branch=master)](https://github.com/bcrypt-ruby/bcrypt-ruby/actions/workflows/ruby.yml)
 
 ## Why you should use `bcrypt()`
 
@@ -18,7 +18,7 @@ security experts is not a professional response to risk.
 `bcrypt()` allows you to easily harden your application against these kinds of attacks.
 
 *Note*: JRuby versions of the bcrypt gem `<= 2.1.3` had a [security
-vulnerability](http://www.mindrot.org/files/jBCrypt/internat.adv) that
+vulnerability](https://www.mindrot.org/files/jBCrypt/internat.adv) that
 was fixed in `>= 2.1.4`. If you used a vulnerable version to hash
 passwords with international characters in them, you will need to
 re-hash those passwords. This vulnerability only affected the JRuby gem.
@@ -27,82 +27,71 @@ re-hash those passwords. This vulnerability only affected the JRuby gem.
 
     gem install bcrypt
 
-The bcrypt gem is available on the following ruby platforms:
+The bcrypt gem is available on the following Ruby platforms:
 
 * JRuby
-* RubyInstaller 1.8, 1.9, and 2.0 builds on win32
-* Any 1.8, 1.9, 2.0, or 2.1 ruby on a BSD/OSX/Linux system with a compiler
+* RubyInstaller 2.0 – 3.0 builds on Windows with the DevKit
+* Any 2.0 – 3.0 Ruby on a BSD/OS X/Linux system with a compiler
 
 ## How to use `bcrypt()` in your Rails application
 
 *Note*: Rails versions >= 3 ship with `ActiveModel::SecurePassword` which uses bcrypt-ruby.
-`has_secure_password` [docs](http://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
+`has_secure_password` [docs](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
 implements a similar authentication strategy to the code below.
 
 ### The _User_ model
-
-    require 'bcrypt'
-
-    class User < ActiveRecord::Base
-      # users.password_hash in the database is a :string
-      include BCrypt
-
-      def password
-        @password ||= Password.new(password_hash)
-      end
-
-      def password=(new_password)
-        @password = Password.create(new_password)
-        self.password_hash = @password
-      end
-    end
-
+```ruby
+require 'bcrypt'
+
+class User < ActiveRecord::Base
+  # users.password_hash in the database is a :string
+  include BCrypt
+
+  def password
+    @password ||= Password.new(password_hash)
+  end
+
+  def password=(new_password)
+    @password = Password.create(new_password)
+    self.password_hash = @password
+  end
+end
+```
 ### Creating an account
-
-    def create
-      @user = User.new(params[:user])
-      @user.password = params[:password]
-      @user.save!
-    end
-
+```ruby
+def create
+  @user = User.new(params[:user])
+  @user.password = params[:password]
+  @user.save!
+end
+```
 ### Authenticating a user
-
-    def login
-      @user = User.find_by_email(params[:email])
-      if @user.password == params[:password]
-        give_token
-      else
-        redirect_to home_url
-      end
-    end
-
-### If a user forgets their password?
-
-    # assign them a random one and mail it to them, asking them to change it
-    def forgot_password
-      @user = User.find_by_email(params[:email])
-      random_password = Array.new(10).map { (65 + rand(58)).chr }.join
-      @user.password = random_password
-      @user.save!
-      Mailer.create_and_deliver_password_change(@user, random_password)
-    end
-
+```ruby
+def login
+  @user = User.find_by_email(params[:email])
+  if @user.password == params[:password]
+    give_token
+  else
+    redirect_to home_url
+  end
+end
+```
 ## How to use bcrypt-ruby in general
+```ruby
+require 'bcrypt'
 
-    require 'bcrypt'
-
-    my_password = BCrypt::Password.create("my password")
-      #=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"
-
-    my_password.version              #=> "2a"
-    my_password.cost                 #=> 10
-    my_password == "my password"     #=> true
-    my_password == "not my password" #=> false
+my_password = BCrypt::Password.create("my password")
+#=> "$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey"
 
-    my_password = BCrypt::Password.new("$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa")
-    my_password == "my password"     #=> true
-    my_password == "not my password" #=> false
+my_password.version              #=> "2a"
+my_password.cost                 #=> 12
+my_password == "my password"     #=> true
+my_password == "not my password" #=> false
 
+my_password = BCrypt::Password.new("$2a$12$K0ByB.6YI2/OYrB4fQOYLe6Tv0datUVf6VZ/2Jzwm879BW5K1cHey")
+my_password == "my password"     #=> true
+my_password == "not my password" #=> false
+```
 Check the rdocs for more details -- BCrypt, BCrypt::Password.
 
 ## How `bcrypt()` works
@@ -166,20 +155,20 @@ If an attacker was using Ruby to check each password, they could check ~140,000
 In addition, `bcrypt()` allows you to increase the amount of work required to hash a password as computers get faster. Old
 passwords will still work fine, but new passwords can keep up with the times.
 
-The default cost factor used by bcrypt-ruby is 10, which is fine for session-based authentication. If you are using a
+The default cost factor used by bcrypt-ruby is 12, which is fine for session-based authentication. If you are using a
 stateless authentication architecture (e.g., HTTP Basic Auth), you will want to lower the cost factor to reduce your
 server load and keep your request times down. This will lower the security provided you, but there are few alternatives.
 
 To change the default cost factor used by bcrypt-ruby, use `BCrypt::Engine.cost = new_value`:
-
-    BCrypt::Password.create('secret').cost
-      #=> 10, the default provided by bcrypt-ruby
-
-    # set a new default cost
-    BCrypt::Engine.cost = 8
-    BCrypt::Password.create('secret').cost
-      #=> 8
-
+```ruby
+BCrypt::Password.create('secret').cost
+  #=> 12, the default provided by bcrypt-ruby
+
+# set a new default cost
+BCrypt::Engine.cost = 8
+BCrypt::Password.create('secret').cost
+  #=> 8
+```
 The default cost can be overridden as needed by passing an options hash with a different cost:
 
     BCrypt::Password.create('secret', :cost => 6).cost  #=> 6
@@ -191,13 +180,13 @@ system available.
 
 For a more technical explanation of the algorithm and its design criteria, please read Niels Provos and David Mazières'
 Usenix99 paper:
-http://www.usenix.org/events/usenix99/provos.html
+https://www.usenix.org/events/usenix99/provos.html
 
 If you'd like more down-to-earth advice regarding cryptography, I suggest reading <i>Practical Cryptography</i> by Niels
 Ferguson and Bruce Schneier:
-http://www.schneier.com/book-practical.html
+https://www.schneier.com/book-practical.html
 
 # Etc
 
 * Author  :: Coda Hale <coda.hale@gmail.com>
-* Website :: http://blog.codahale.com
+* Website :: https://codahale.com