bcrypt4 4.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5871335afc77bc0f3fdce7abeb73ade14a8e22bb
+  data.tar.gz: 0b65214f452642a96c0445c7cf14b488e09bea51
+SHA512:
+  metadata.gz: 8ef66298da8777c5f3e6c7c509d7bf0a923911eaeefe796fd2a620a99186a412b3c44e5da0561f30bc15ebac414fa41cc2849dff78788d4e077e9c312af0c3ca
+  data.tar.gz: 3e7a0dd8e904e85f2b07f5cb91871fe8530168a5f85339d8bde538d54243907164e29231c0f354215b080b5815aa316bcc1a2ebf1bed6c5658d2d8fe134c5bc0

data/.gitignore

@@ -0,0 +1,10 @@
+doc
+pkg
+tmp
+*.o
+*.bundle
+*.so
+*.jar
+.DS_Store
+.rbenv-gemsets
+*.gem

data/.rspec

@@ -0,0 +1,3 @@
+--color
+--backtrace
+--format documentation

data/.travis.yml

@@ -0,0 +1,16 @@
+language: ruby
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+  - 2.2.0
+  - 2.3.0
+  - ruby-head
+  - jruby-18mode
+  - jruby-19mode
+  - jruby-head
+  - rbx-2
+  - ree
+script: bundle exec rake

data/CHANGELOG

@@ -0,0 +1,87 @@
+1.0.0  Feb 27 2007
+ - Initial release.
+
+2.0.0  Mar 07 2007
+ - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
+ - Added BCrypt::Password#is_password?.
+ - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
+ - Added validation of secrets -- nil is not healthy.
+
+2.0.1  Mar 09 2007
+ - Fixed load path issues
+ - Fixed crashes when hashing weird values (e.g., false, etc.)
+
+2.0.2  Jun 06 2007
+ - Fixed example code in the README [Winson]
+ - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
+
+2.0.3  May 07 2008
+ - Made exception classes descend from StandardError, not Exception [Dan42]
+ - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
+   sorting issues. [Lee Pope]
+
+2.0.4  Mar 09 2009
+  - Added Ruby 1.9 compatibility. [Genki Takiuchi]
+  - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
+
+2.0.5  Mar 11 2009
+  - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
+
+2.1.0  Aug 12 2009
+  - Improved code coverage, unit tests, and build chain. [Hongli Lai]
+  - Ruby 1.9 compatibility fixes. [Hongli Lai]
+  - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
+  - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
+
+2.1.1  Aug 14 2009
+  - JVM 1.4/1.5 compatibility [Hongli Lai]
+
+2.1.2  Sep 16 2009
+  - Fixed support for Solaris, OpenSolaris.
+
+3.0.0  Aug 24 2011
+  - Bcrypt C implementation replaced with a public domain implementation.
+  - License changed to MIT
+
+3.0.1  Sep 12 2011
+  - create raises an exception if the cost is higher than 31. GH #27
+
+3.1.0  May 07 2013
+  - Add BCrypt::Password.valid_hash?(str) to check if a string is a valid bcrypt password hash
+  - BCrypt::Password cost should be set to DEFAULT_COST if nil
+  - Add BCrypt::Engine.cost attribute for getting/setting a default cost externally
+
+3.1.1  Jul 10 2013
+  - Remove support for Ruby 1.8 in compiled win32 binaries
+
+3.1.2  Aug 26 2013
+  - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
+  - Add support for 64-bit Windows
+
+3.1.3  Feb 21 2014
+  - Add support for Ruby 2.1 in compiled Windows binaries
+  - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
+
+3.1.6  Feb 21 2014
+  - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
+    bugs. It felt wrong to have that at a higher version than the real gem, so
+    the real gem is getting bumped to 3.1.6.
+
+3.1.7  Feb 24 2014
+  - Rebuild corrupt Java binary version of gem [GH #90]
+  - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
+
+3.1.8  Oct 23 2014
+  - Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
+
+3.1.9  Oct 23 2014
+  - Rebuild corrupt binaries
+
+3.1.10 Jan 28 2015
+  - Fix issue with dumping a BCrypt::Password instance to YAML in Ruby 2.2 [GH #107 by @mattwildig]
+
+3.1.11 Mar 06 2016
+  - Add support for Ruby 2.2 in compiled Windows binaries
+
+4.0.0 Jul 14 2017
+  - Fork of project to update blowfish 1.1 to 1.3

data/COPYING

@@ -0,0 +1,28 @@
+(The MIT License)
+
+Copyright 2007-2011:
+
+* Coda Hale <coda.hale@gmail.com>
+
+C implementation of the BCrypt algorithm by Solar Designer and placed in the
+public domain.
+jBCrypt is Copyright (c) 2006 Damien Miller <djm@mindrot.org>.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/Gemfile.lock

@@ -0,0 +1,44 @@
+PATH
+  remote: .
+  specs:
+    bcrypt4 (4.0.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.2.5)
+    json (1.8.3)
+    json (1.8.3-java)
+    rake (10.4.2)
+    rake-compiler (0.9.5)
+      rake
+    rdoc (3.12.2)
+      json (~> 1.4)
+    rspec (3.3.0)
+      rspec-core (~> 3.3.0)
+      rspec-expectations (~> 3.3.0)
+      rspec-mocks (~> 3.3.0)
+    rspec-core (3.3.2)
+      rspec-support (~> 3.3.0)
+    rspec-expectations (3.3.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.3.0)
+    rspec-mocks (3.3.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.3.0)
+    rspec-support (3.3.0)
+
+PLATFORMS
+  java
+  ruby
+  x64-mingw32
+  x86-mingw32
+
+DEPENDENCIES
+  bcrypt4!
+  rake-compiler (~> 0.9.2)
+  rdoc (~> 3.12)
+  rspec (>= 3)
+
+BUNDLED WITH
+   1.11.2

data/README.md

@@ -0,0 +1,192 @@
+# bcrypt-ruby
+
+An easy way to keep your users' passwords secure.
+
+* http://github.com/codahale/bcrypt-ruby/tree/master
+
+[![Build Status](https://travis-ci.org/codahale/bcrypt-ruby.png?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
+
+## Why you should use `bcrypt()`
+
+If you store user passwords in the clear, then an attacker who steals a copy of your database has a giant list of emails
+and passwords. Some of your users will only have one password -- for their email account, for their banking account, for
+your application. A simple hack could escalate into massive identity theft.
+
+It's your responsibility as a web developer to make your web application secure -- blaming your users for not being
+security experts is not a professional response to risk.
+
+`bcrypt()` allows you to easily harden your application against these kinds of attacks.
+
+*Note*: JRuby versions of the bcrypt gem `<= 2.1.3` had a [security
+vulnerability](http://www.mindrot.org/files/jBCrypt/internat.adv) that
+was fixed in `>= 2.1.4`. If you used a vulnerable version to hash
+passwords with international characters in them, you will need to
+re-hash those passwords. This vulnerability only affected the JRuby gem.
+
+## How to install bcrypt
+
+    gem install bcrypt4
+
+The bcrypt gem is available on the following ruby platforms:
+
+* JRuby
+* RubyInstaller 1.8, 1.9, 2.0, 2.1, and 2.2 builds on win32
+* Any 1.8, 1.9, 2.0, 2.1, 2.2, or 2.3 Ruby on a BSD/OS X/Linux system with a compiler
+
+## How to use `bcrypt()` in your Rails application
+
+*Note*: Rails versions >= 3 ship with `ActiveModel::SecurePassword` which uses bcrypt-ruby.
+`has_secure_password` [docs](http://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
+implements a similar authentication strategy to the code below.
+
+### The _User_ model
+
+    require 'bcrypt'
+
+    class User < ActiveRecord::Base
+      # users.password_hash in the database is a :string
+      include BCrypt
+
+      def password
+        @password ||= Password.new(password_hash)
+      end
+
+      def password=(new_password)
+        @password = Password.create(new_password)
+        self.password_hash = @password
+      end
+    end
+
+### Creating an account
+
+    def create
+      @user = User.new(params[:user])
+      @user.password = params[:password]
+      @user.save!
+    end
+
+### Authenticating a user
+
+    def login
+      @user = User.find_by_email(params[:email])
+      if @user.password == params[:password]
+        give_token
+      else
+        redirect_to home_url
+      end
+    end
+
+## How to use bcrypt-ruby in general
+
+    require 'bcrypt'
+
+    my_password = BCrypt::Password.create("my password")
+      #=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"
+
+    my_password.version              #=> "2a"
+    my_password.cost                 #=> 10
+    my_password == "my password"     #=> true
+    my_password == "not my password" #=> false
+
+    my_password = BCrypt::Password.new("$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa")
+    my_password == "my password"     #=> true
+    my_password == "not my password" #=> false
+
+Check the rdocs for more details -- BCrypt, BCrypt::Password.
+
+## How `bcrypt()` works
+
+`bcrypt()` is a hashing algorithm designed by Niels Provos and David Mazières of the OpenBSD Project.
+
+### Background
+
+Hash algorithms take a chunk of data (e.g., your user's password) and create a "digital fingerprint," or hash, of it.
+Because this process is not reversible, there's no way to go from the hash back to the password.
+
+In other words:
+
+    hash(p) #=> <unique gibberish>
+
+You can store the hash and check it against a hash made of a potentially valid password:
+
+    <unique gibberish> =? hash(just_entered_password)
+
+### Rainbow Tables
+
+But even this has weaknesses -- attackers can just run lists of possible passwords through the same algorithm, store the
+results in a big database, and then look up the passwords by their hash:
+
+    PrecomputedPassword.find_by_hash(<unique gibberish>).password #=> "secret1"
+
+### Salts
+
+The solution to this is to add a small chunk of random data -- called a salt -- to the password before it's hashed:
+
+    hash(salt + p) #=> <really unique gibberish>
+
+The salt is then stored along with the hash in the database, and used to check potentially valid passwords:
+
+    <really unique gibberish> =? hash(salt + just_entered_password)
+
+bcrypt-ruby automatically handles the storage and generation of these salts for you.
+
+Adding a salt means that an attacker has to have a gigantic database for each unique salt -- for a salt made of 4
+letters, that's 456,976 different databases. Pretty much no one has that much storage space, so attackers try a
+different, slower method -- throw a list of potential passwords at each individual password:
+
+    hash(salt + "aadvark") =? <really unique gibberish>
+    hash(salt + "abacus")  =? <really unique gibberish>
+    etc.
+
+This is much slower than the big database approach, but most hash algorithms are pretty quick -- and therein lies the
+problem. Hash algorithms aren't usually designed to be slow, they're designed to turn gigabytes of data into secure
+fingerprints as quickly as possible. `bcrypt()`, though, is designed to be computationally expensive:
+
+    Ten thousand iterations:
+                 user     system      total        real
+    md5      0.070000   0.000000   0.070000 (  0.070415)
+    bcrypt  22.230000   0.080000  22.310000 ( 22.493822)
+
+If an attacker was using Ruby to check each password, they could check ~140,000 passwords a second with MD5 but only
+~450 passwords a second with `bcrypt()`.
+
+### Cost Factors
+
+In addition, `bcrypt()` allows you to increase the amount of work required to hash a password as computers get faster. Old
+passwords will still work fine, but new passwords can keep up with the times.
+
+The default cost factor used by bcrypt-ruby is 10, which is fine for session-based authentication. If you are using a
+stateless authentication architecture (e.g., HTTP Basic Auth), you will want to lower the cost factor to reduce your
+server load and keep your request times down. This will lower the security provided you, but there are few alternatives.
+
+To change the default cost factor used by bcrypt-ruby, use `BCrypt::Engine.cost = new_value`:
+
+    BCrypt::Password.create('secret').cost
+      #=> 10, the default provided by bcrypt-ruby
+
+    # set a new default cost
+    BCrypt::Engine.cost = 8
+    BCrypt::Password.create('secret').cost
+      #=> 8
+
+The default cost can be overridden as needed by passing an options hash with a different cost:
+
+    BCrypt::Password.create('secret', :cost => 6).cost  #=> 6
+
+## More Information
+
+`bcrypt()` is currently used as the default password storage hash in OpenBSD, widely regarded as the most secure operating
+system available.
+
+For a more technical explanation of the algorithm and its design criteria, please read Niels Provos and David Mazières'
+Usenix99 paper:
+http://www.usenix.org/events/usenix99/provos.html
+
+If you'd like more down-to-earth advice regarding cryptography, I suggest reading <i>Practical Cryptography</i> by Niels
+Ferguson and Bruce Schneier:
+http://www.schneier.com/book-practical.html
+
+# Etc
+
+* Author  :: Coda Hale <coda.hale@gmail.com>
+* Website :: http://blog.codahale.com

data/Rakefile

@@ -0,0 +1,93 @@
+require 'rspec/core/rake_task'
+require 'rubygems/package_task'
+require 'rake/extensiontask'
+require 'rake/javaextensiontask'
+require 'rake/clean'
+require 'rdoc/task'
+require 'benchmark'
+
+CLEAN.include(
+  "tmp",
+  "lib/1.8",
+  "lib/1.9",
+  "lib/2.0",
+  "lib/2.1",
+  "lib/bcrypt_ext.jar",
+  "lib/bcrypt_ext.so"
+)
+CLOBBER.include(
+  "doc",
+  "pkg"
+)
+
+GEMSPEC = Gem::Specification.load("bcrypt.gemspec")
+
+task :default => [:compile, :spec]
+
+desc "Run all specs"
+RSpec::Core::RakeTask.new do |t|
+  t.pattern = 'spec/**/*_spec.rb'
+  t.ruby_opts = '-w'
+end
+
+desc "Run all specs, with coverage testing"
+RSpec::Core::RakeTask.new(:rcov) do |t|
+  t.pattern = 'spec/**/*_spec.rb'
+  t.rcov = true
+  t.rcov_path = 'doc/coverage'
+  t.rcov_opts = ['--exclude', 'rspec,diff-lcs,rcov,_spec,_helper']
+end
+
+desc 'Generate RDoc'
+RDoc::Task.new do |rdoc|
+  rdoc.rdoc_dir = 'doc/rdoc'
+  rdoc.options += GEMSPEC.rdoc_options
+  rdoc.template = ENV['TEMPLATE'] if ENV['TEMPLATE']
+  rdoc.rdoc_files.include(*GEMSPEC.extra_rdoc_files)
+end
+
+Gem::PackageTask.new(GEMSPEC) do |pkg|
+  pkg.need_zip = true
+  pkg.need_tar = true
+end
+
+if RUBY_PLATFORM =~ /java/
+  Rake::JavaExtensionTask.new('bcrypt_ext', GEMSPEC) do |ext|
+    ext.ext_dir = 'ext/jruby'
+  end
+else
+  Rake::ExtensionTask.new("bcrypt_ext", GEMSPEC) do |ext|
+    ext.ext_dir = 'ext/mri'
+    ext.cross_compile = true
+    ext.cross_platform = ['x86-mingw32', 'x64-mingw32']
+  end
+
+  ENV['RUBY_CC_VERSION'].to_s.split(':').each do |ruby_version|
+    platforms = {
+      "x86-mingw32" => "i686-w64-mingw32",
+      "x64-mingw32" => "x86_64-w64-mingw32"
+    }
+    platforms.each do |platform, prefix|
+      task "copy:bcrypt_ext:#{platform}:#{ruby_version}" do |t|
+        %w[lib tmp/#{platform}/stage/lib].each do |dir|
+          so_file = "#{dir}/#{ruby_version[/^\d+\.\d+/]}/bcrypt_ext.so"
+          if File.exists?(so_file)
+            sh "#{prefix}-strip -S #{so_file}"
+          end
+        end
+      end
+    end
+  end
+end
+
+desc "Run a set of benchmarks on the compiled extension."
+task :benchmark do
+  TESTS = 100
+  TEST_PWD = "this is a test"
+  require File.expand_path(File.join(File.dirname(__FILE__), "lib", "bcrypt"))
+  Benchmark.bmbm do |results|
+    4.upto(10) do |n|
+      results.report("cost #{n}:") { TESTS.times { BCrypt::Password.create(TEST_PWD, :cost => n) } }
+    end
+  end
+end

data/bcrypt4.gemspec

@@ -0,0 +1,29 @@
+Gem::Specification.new do |s|
+  s.name = 'bcrypt4'
+  s.version = '4.0.0'
+
+  s.summary = "OpenBSD's bcrypt() password hashing algorithm."
+  s.description = <<-EOF
+    bcrypt() is a sophisticated and secure hash algorithm designed by The OpenBSD project
+    for hashing passwords. The bcrypt Ruby gem provides a simple wrapper for safely handling
+    passwords.
+  EOF
+
+  s.files = `git ls-files`.split("\n")
+  s.require_path = 'lib'
+
+  s.add_development_dependency 'rake-compiler', '~> 0.9.2'
+  s.add_development_dependency 'rspec', '>= 3'
+  s.add_development_dependency 'rdoc', '~> 3.12'
+
+  s.has_rdoc = true
+  s.rdoc_options += ['--title', 'bcrypt-ruby', '--line-numbers', '--inline-source', '--main', 'README.md']
+  s.extra_rdoc_files += ['README.md', 'COPYING', 'CHANGELOG', *Dir['lib/**/*.rb']]
+
+  s.extensions = 'ext/mri/extconf.rb'
+
+  s.authors = ["Coda Hale"]
+  s.email = "coda.hale@gmail.com"
+  s.homepage = "https://github.com/dissolve/bcrypt-ruby"
+  s.license = "MIT"
+end