bcrypt 3.1.16-java → 3.1.17-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e6fe6b05f8549bfa33c05719ab8490ca2b41a4c6f368f8d1e0adddf8bfd8c52c
-  data.tar.gz: a43f4dccd21dbbf85c5bed7531fd2a2629589e95921d90ab815da2bf3e3e6165
+  metadata.gz: 982723920ec5f97cff8b34987babf6a5f1ee632e8f942e40cf28246940e067d6
+  data.tar.gz: ab2bb1ace746eb5efa5b2ce1d9b1bcc9fe5445899ae3c78510198a6df19152d0
 SHA512:
-  metadata.gz: 60cde1058ce402d95d446b1679afbd846d3f3c9bbc60e9524deaebfbe80eb6e5634386fb10798ff277f2f9ad3036843af5fbb9ac2ab04b1769f04fa1c722aef3
-  data.tar.gz: 56bf205b61a356e0291f605639b1db5b950baccf3b73406dcf92d6e290701afc8f35b581fe03a73cab5ebf7c37d17f0224105a992c33ddb9d1450428cb75fc96
+  metadata.gz: 79951a4c7612737f25550f701d387d7c7325798eae87d898cccefd83762cf713d9817a19ca29d95b950ed85b32915efbdf7dd93e146a08230135309876a26a27
+  data.tar.gz: d3618098d76210298bb5e05b39f75469cc4f64dfea5e55cc5cebf0372eb8a529b076d771f184e311c564a6d08932b7160fb46355e09188592f7de1608dd65d83

data/.github/workflows/ruby.yml

@@ -0,0 +1,57 @@
+name: Test Suite
+
+# Run against all commits and pull requests.
+on: [ push, pull_request ]
+
+jobs:
+  test_matrix:
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu
+          - macos
+          - windows
+        ruby:
+          - 2.1
+          - 2.2
+          - 2.3
+          - 2.4
+          - 2.5
+          - 2.6
+          - 2.7
+          - '3.0'
+          - 3.1
+          - head
+          - jruby
+          - jruby-head
+          - truffleruby
+          - truffleruby-head
+          - mingw
+        exclude:
+          - { os: ubuntu,  ruby: jruby }
+          - { os: ubuntu,  ruby: jruby-head }
+          - { os: ubuntu,  ruby: mingw }
+          - { os: macos,   ruby: mingw }
+          - { os: windows, ruby: truffleruby }
+          - { os: windows, ruby: truffleruby-head }
+
+    runs-on: ${{ matrix.os }}-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+      - name: Run tests
+        run: bundle exec rake default
+
+  finish:
+    runs-on: ubuntu-latest
+    needs: [ test_matrix ]
+    steps:
+      - name: Wait for status checks
+        run: echo "All Green!"

data/.gitignore

@@ -7,3 +7,4 @@ tmp
 *.jar
 .DS_Store
 .rbenv-gemsets
+Gemfile.lock

data/CHANGELOG

@@ -1,3 +1,8 @@
+3.1.17 Mar 14 2022
+- Fix regex in validators to use \A and \z instead of ^ and $ [GH #121]
+- Truncate secrets greater than 72 bytes in hash_secret [GH #255]
+- Assorted test and doc improvements
+
 3.1.16 Sep 3 2020
   - Fix compilation on FreeBSD. [GH #234]
 
@@ -16,7 +21,7 @@
 
 3.1.12 May 16 2018
   - Add support for Ruby 2.3, 2.4, and 2.5 in compiled Windows binaries
-  - Fix compatibility with libxcrypt [GH #164 by @besser82]
+  - Fix compatibility with libxcrypt - Fixes hash errors in Fedora 28 and Ubuntu 20 [GH #164 by @besser82]
 
 3.1.11 Mar 06 2016
   - Add support for Ruby 2.2 in compiled Windows binaries

data/README.md

@@ -2,12 +2,11 @@
 
 An easy way to keep your users' passwords secure.
 
-* https://github.com/codahale/bcrypt-ruby/tree/master
+* https://github.com/bcrypt-ruby/bcrypt-ruby/tree/master
 
-[![Travis Build Status](https://travis-ci.org/codahale/bcrypt-ruby.svg?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
+[![Github Actions Build Status](https://github.com/bcrypt-ruby/bcrypt-ruby/actions/workflows/ruby.yml/badge.svg?branch=master)](https://github.com/bcrypt-ruby/bcrypt-ruby/actions/workflows/ruby.yml)
 [![AppVeyor Build Status](https://ci.appveyor.com/api/projects/status/6fplerx9lnaf0hyo?svg=true)](https://ci.appveyor.com/project/TJSchuck35975/bcrypt-ruby)
 
-
 ## Why you should use `bcrypt()`
 
 If you store user passwords in the clear, then an attacker who steals a copy of your database has a giant list of emails
@@ -32,8 +31,8 @@ re-hash those passwords. This vulnerability only affected the JRuby gem.
 The bcrypt gem is available on the following Ruby platforms:
 
 * JRuby
-* RubyInstaller 2.0 – 2.5 builds on Windows with the DevKit
-* Any 2.0 – 2.5 Ruby on a BSD/OS X/Linux system with a compiler
+* RubyInstaller 2.0 – 3.0 builds on Windows with the DevKit
+* Any 2.0 – 3.0 Ruby on a BSD/OS X/Linux system with a compiler
 
 ## How to use `bcrypt()` in your Rails application
 

data/bcrypt.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = 'bcrypt'
-  s.version = '3.1.16'
+  s.version = '3.1.17'
 
   s.summary = "OpenBSD's bcrypt() password hashing algorithm."
   s.description = <<-EOF
@@ -22,6 +22,6 @@ Gem::Specification.new do |s|
 
   s.authors = ["Coda Hale"]
   s.email = "coda.hale@gmail.com"
-  s.homepage = "https://github.com/codahale/bcrypt-ruby"
+  s.homepage = "https://github.com/bcrypt-ruby/bcrypt-ruby"
   s.license = "MIT"
 end

data/lib/bcrypt/engine.rb

@@ -7,6 +7,14 @@ module BCrypt
     MIN_COST        = 4
     # The maximum cost supported by the algorithm.
     MAX_COST = 31
+    # Maximum possible size of bcrypt() secrets.
+    # Older versions of the bcrypt library would truncate passwords longer
+    # than 72 bytes, but newer ones do not. We truncate like the old library for
+    # forward compatibility. This way users upgrading from Ubuntu 18.04 to 20.04
+    # will not have their user passwords invalidated, for example.
+    # A max secret length greater than 255 leads to bcrypt returning nil.
+    # https://github.com/bcrypt-ruby/bcrypt-ruby/issues/225#issuecomment-875908425
+    MAX_SECRET_BYTESIZE = 72
     # Maximum possible size of bcrypt() salts.
     MAX_SALT_LENGTH = 16
 
@@ -43,14 +51,16 @@ module BCrypt
     end
 
     # Given a secret and a valid salt (see BCrypt::Engine.generate_salt) calculates
-    # a bcrypt() password hash.
+    # a bcrypt() password hash. Secrets longer than 72 bytes are truncated.
     def self.hash_secret(secret, salt, _ = nil)
       if valid_secret?(secret)
         if valid_salt?(salt)
           if RUBY_PLATFORM == "java"
             Java.bcrypt_jruby.BCrypt.hashpw(secret.to_s.to_java_bytes, salt.to_s)
           else
-            __bc_crypt(secret.to_s, salt)
+            secret = secret.to_s
+            secret = secret.byteslice(0, MAX_SECRET_BYTESIZE) if secret && secret.bytesize > MAX_SECRET_BYTESIZE
+            __bc_crypt(secret, salt)
           end
         else
           raise Errors::InvalidSalt.new("invalid salt")
@@ -70,8 +80,7 @@ module BCrypt
         if RUBY_PLATFORM == "java"
           Java.bcrypt_jruby.BCrypt.gensalt(cost)
         else
-          prefix = "$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW"
-          __bc_salt(prefix, cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
+          __bc_salt("$2a$", cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
         end
       else
         raise Errors::InvalidCost.new("cost must be numeric and > 0")
@@ -80,7 +89,7 @@ module BCrypt
 
     # Returns true if +salt+ is a valid bcrypt() salt, false if not.
     def self.valid_salt?(salt)
-      !!(salt =~ /^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/)
+      !!(salt =~ /\A\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}\z/)
     end
 
     # Returns true if +secret+ is a valid bcrypt() secret, false if not.

data/lib/bcrypt/password.rb

@@ -47,7 +47,7 @@ module BCrypt
       end
 
       def valid_hash?(h)
-        /^\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}$/ === h
+        /\A\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}\z/ === h
       end
     end
 
@@ -62,6 +62,17 @@ module BCrypt
     end
 
     # Compares a potential secret against the hash. Returns true if the secret is the original secret, false otherwise.
+    #
+    # Comparison edge case/gotcha:
+    #
+    #    secret = "my secret"
+    #    @password = BCrypt::Password.create(secret)
+    #
+    #    @password == secret              # => True
+    #    @password == @password           # => False
+    #    @password == @password.to_s      # => False
+    #    @password.to_s == @password      # => True
+    #    @password.to_s == @password.to_s # => True
     def ==(secret)
       super(BCrypt::Engine.hash_secret(secret, @salt))
     end
@@ -83,5 +94,4 @@ module BCrypt
       return v.to_str, c.to_i, h[0, 29].to_str, mash[-31, 31].to_str
     end
   end
-
 end

data/spec/bcrypt/engine_spec.rb

@@ -1,4 +1,5 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "..", "spec_helper"))
+require 'securerandom'
 
 describe 'BCrypt::Engine' do
   describe '.calibrate(upper_time_limit_in_ms)' do
@@ -12,8 +13,11 @@ end
 
 describe "The BCrypt engine" do
   specify "should calculate the optimal cost factor to fit in a specific time" do
-    first = BCrypt::Engine.calibrate(100)
-    second = BCrypt::Engine.calibrate(400)
+    start_time = Time.now
+    BCrypt::Password.create("testing testing", :cost => BCrypt::Engine::MIN_COST + 1)
+    min_time_ms = (Time.now - start_time) * 1000
+    first = BCrypt::Engine.calibrate(min_time_ms)
+    second = BCrypt::Engine.calibrate(min_time_ms * 4)
     expect(second).to be > first
   end
 end
@@ -154,4 +158,19 @@ describe "Generating BCrypt hashes" do
       expect(BCrypt::Engine.hash_secret(secret, salt)).to eql(test_vector)
     end
   end
+
+  specify "should truncate long 1-byte character secrets to 72 bytes" do
+    # 'b' as a base triggers the failure at 256 characters, but 'a' does not.
+    too_long_secret = 'b'*(BCrypt::Engine::MAX_SECRET_BYTESIZE + 1)
+    just_right_secret = 'b'*BCrypt::Engine::MAX_SECRET_BYTESIZE
+    expect(BCrypt::Engine.hash_secret(too_long_secret, @salt)).to eq(BCrypt::Engine.hash_secret(just_right_secret, @salt))
+  end
+
+  specify "should truncate long multi-byte character secrets to 72 bytes" do
+    # 256 times causes bcrypt to return nil for libxcrypt > 4.4.18-4.
+    too_long_secret = '𐐷'*256
+    # 𐐷 takes 4 bytes in UTF-8. 18 times is 72 bytes
+    just_right_secret = '𐐷'*18
+    expect(BCrypt::Engine.hash_secret(too_long_secret, @salt)).to eq(BCrypt::Engine.hash_secret(just_right_secret, @salt))
+  end
 end

data/spec/bcrypt/password_spec.rb

@@ -1,4 +1,5 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "..", "spec_helper"))
+require 'securerandom'
 
 describe "Creating a hashed password" do
 
@@ -26,6 +27,10 @@ describe "Creating a hashed password" do
     expect { BCrypt::Password.create( ""         ) }.not_to raise_error
     expect { BCrypt::Password.create( String.new ) }.not_to raise_error
   end
+
+  specify "should tolerate very long string secrets" do
+    expect { BCrypt::Password.create("abcd"*1024) }.not_to raise_error
+  end
 end
 
 describe "Reading a hashed password" do
@@ -108,6 +113,7 @@ end
 describe "Validating a generated salt" do
   specify "should not accept an invalid salt" do
     expect(BCrypt::Engine.valid_salt?("invalid")).to eq(false)
+    expect(BCrypt::Engine.valid_salt?("invalid\n#{BCrypt::Engine.generate_salt}\ninvalid")).to eq(false)
   end
   specify "should accept a valid salt" do
     expect(BCrypt::Engine.valid_salt?(BCrypt::Engine.generate_salt)).to eq(true)
@@ -117,6 +123,7 @@ end
 describe "Validating a password hash" do
   specify "should not accept an invalid password" do
     expect(BCrypt::Password.valid_hash?("i_am_so_not_valid")).to be(false)
+    expect(BCrypt::Password.valid_hash?("invalid\n#{BCrypt::Password.create "i_am_so_valid"}\ninvalid")).to be(false)
   end
   specify "should accept a valid password" do
     expect(BCrypt::Password.valid_hash?(BCrypt::Password.create "i_am_so_valid")).to be(true)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bcrypt
 version: !ruby/object:Gem::Version
-  version: 3.1.16
+  version: 3.1.17
 platform: java
 authors:
 - Coda Hale
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-03 00:00:00.000000000 Z
+date: 2022-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -17,8 +17,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.9.2
   name: rake-compiler
-  type: :development
   prerelease: false
+  type: :development
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -31,8 +31,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3'
   name: rspec
-  type: :development
   prerelease: false
+  type: :development
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -54,9 +54,9 @@ extra_rdoc_files:
 - lib/bcrypt/engine.rb
 - lib/bcrypt/error.rb
 files:
+- ".github/workflows/ruby.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
 - CHANGELOG
 - COPYING
 - Gemfile
@@ -86,7 +86,7 @@ files:
 - spec/bcrypt/error_spec.rb
 - spec/bcrypt/password_spec.rb
 - spec/spec_helper.rb
-homepage: https://github.com/codahale/bcrypt-ruby
+homepage: https://github.com/bcrypt-ruby/bcrypt-ruby
 licenses:
 - MIT
 metadata: {}
@@ -111,7 +111,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.2.29
 signing_key:
 specification_version: 4
 summary: OpenBSD's bcrypt() password hashing algorithm.

data/.travis.yml

@@ -1,22 +0,0 @@
-language: ruby
-before_install:
-  - "echo 'gem: --no-rdoc --no-ri' > ~/.gemrc"
-rvm:
-  - 2.0
-  - 2.1
-  - 2.2
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-  - 2.7
-  - ruby-head
-  - jruby-head
-  - rbx-3
-matrix:
-  allow_failures:
-    - rvm: ruby-head
-    - rvm: jruby-head
-    - rvm: rbx-3
-  fast_finish: true
-script: bundle exec rake