lookout-bcrypt 3.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: e3b25462b9ef97c8535d6762337ebb8d56899b47
4
+ data.tar.gz: e11dc66e0d18924890f1ca97c1daaf3e78f95a99
5
+ SHA512:
6
+ metadata.gz: d1a1c044564b525f21ac6addedfc0b8ed733dd4b551c95bb157465a8307a9de676844f703a1325f8466601b1a5bb2191610d7a33db49b13585bc30d4d9353cf8
7
+ data.tar.gz: 076010b3ef39b9a8ebf063833d8f0bb355a575713f19e5688e4d333e6368f9b39bbb21cb6da49ab16777275b8e1d13b32cac7ddfc3ff80f0eaae443584de5c1d
data/.gitignore ADDED
@@ -0,0 +1,9 @@
1
+ doc
2
+ pkg
3
+ tmp
4
+ *.o
5
+ *.bundle
6
+ *.so
7
+ *.jar
8
+ .DS_Store
9
+ .rbenv-gemsets
data/.rspec ADDED
@@ -0,0 +1,3 @@
1
+ --color
2
+ --backtrace
3
+ --format documentation
data/.travis.yml ADDED
@@ -0,0 +1,14 @@
1
+ language: ruby
2
+ rvm:
3
+ - 1.8.7
4
+ - 1.9.2
5
+ - 1.9.3
6
+ - 2.0.0
7
+ - 2.1.0
8
+ - ruby-head
9
+ - jruby-18mode
10
+ - jruby-19mode
11
+ - jruby-head
12
+ - rbx-2
13
+ - ree
14
+ script: bundle exec rake
data/CHANGELOG ADDED
@@ -0,0 +1,81 @@
1
+ 1.0.0 Feb 27 2007
2
+ - Initial release.
3
+
4
+ 2.0.0 Mar 07 2007
5
+ - Removed BCrypt::Password#exactly_equals -- use BCrypt::Password#eql? instead.
6
+ - Added BCrypt::Password#is_password?.
7
+ - Refactored out BCrypt::Internals into more useful BCrypt::Engine.
8
+ - Added validation of secrets -- nil is not healthy.
9
+
10
+ 2.0.1 Mar 09 2007
11
+ - Fixed load path issues
12
+ - Fixed crashes when hashing weird values (e.g., false, etc.)
13
+
14
+ 2.0.2 Jun 06 2007
15
+ - Fixed example code in the README [Winson]
16
+ - Fixed Solaris compatibility [Jeremy LaTrasse, Twitter crew]
17
+
18
+ 2.0.3 May 07 2008
19
+ - Made exception classes descend from StandardError, not Exception [Dan42]
20
+ - Changed BCrypt::Engine.hash to BCrypt::Engine.hash_secret to avoid Merb
21
+ sorting issues. [Lee Pope]
22
+
23
+ 2.0.4 Mar 09 2009
24
+ - Added Ruby 1.9 compatibility. [Genki Takiuchi]
25
+ - Fixed segfaults on some different types of empty strings. [Mike Pomraning]
26
+
27
+ 2.0.5 Mar 11 2009
28
+ - Fixed Ruby 1.8.5 compatibility. [Mike Pomraning]
29
+
30
+ 2.1.0 Aug 12 2009
31
+ - Improved code coverage, unit tests, and build chain. [Hongli Lai]
32
+ - Ruby 1.9 compatibility fixes. [Hongli Lai]
33
+ - JRuby support, using Damien Miller's jBCrypt. [Hongli Lai]
34
+ - Ruby 1.9 GIL releasing for high-cost hashes. [Hongli Lai]
35
+
36
+ 2.1.1 Aug 14 2009
37
+ - JVM 1.4/1.5 compatibility [Hongli Lai]
38
+
39
+ 2.1.2 Sep 16 2009
40
+ - Fixed support for Solaris, OpenSolaris.
41
+
42
+ 3.0.0 Aug 24 2011
43
+ - Bcrypt C implementation replaced with a public domain implementation.
44
+ - License changed to MIT
45
+
46
+ 3.0.1 Sep 12 2011
47
+ - create raises an exception if the cost is higher than 31. GH #27
48
+
49
+ 3.1.0 May 07 2013
50
+ - Add BCrypt::Password.valid_hash?(str) to check if a string is a valid bcrypt password hash
51
+ - BCrypt::Password cost should be set to DEFAULT_COST if nil
52
+ - Add BCrypt::Engine.cost attribute for getting/setting a default cost externally
53
+
54
+ 3.1.1 Jul 10 2013
55
+ - Remove support for Ruby 1.8 in compiled win32 binaries
56
+
57
+ 3.1.2 Aug 26 2013
58
+ - Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows binaries
59
+ - Add support for 64-bit Windows
60
+
61
+ 3.1.3 Feb 21 2014
62
+ - Add support for Ruby 2.1 in compiled Windows binaries
63
+ - Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
64
+
65
+ 3.1.6 Feb 21 2014
66
+ - Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
67
+ bugs. It felt wrong to have that at a higher version than the real gem, so
68
+ the real gem is getting bumped to 3.1.6.
69
+
70
+ 3.1.7 Feb 24 2014
71
+ - Rebuild corrupt Java binary version of gem [GH #90]
72
+ - The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
73
+
74
+ 3.1.8 Oct 23 2014
75
+ - Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
76
+
77
+ 3.1.9 Oct 23 2014
78
+ - Rebuild corrupt binaries
79
+
80
+ 3.2.0 Jan 23, 2014
81
+ - Lookout fork: fix jBCrypt handling of binary strings
data/COPYING ADDED
@@ -0,0 +1,28 @@
1
+ (The MIT License)
2
+
3
+ Copyright 2007-2011:
4
+
5
+ * Coda Hale <coda.hale@gmail.com>
6
+
7
+ C implementation of the BCrypt algorithm by Solar Designer and placed in the
8
+ public domain.
9
+ jBCrypt is Copyright (c) 2006 Damien Miller <djm@mindrot.org>.
10
+
11
+ Permission is hereby granted, free of charge, to any person obtaining
12
+ a copy of this software and associated documentation files (the
13
+ 'Software'), to deal in the Software without restriction, including
14
+ without limitation the rights to use, copy, modify, merge, publish,
15
+ distribute, sublicense, and/or sell copies of the Software, and to
16
+ permit persons to whom the Software is furnished to do so, subject to
17
+ the following conditions:
18
+
19
+ The above copyright notice and this permission notice shall be
20
+ included in all copies or substantial portions of the Software.
21
+
22
+ THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
23
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
24
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
25
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
26
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
27
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
28
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/Gemfile ADDED
@@ -0,0 +1,2 @@
1
+ source 'https://rubygems.org'
2
+ gemspec
data/Gemfile.lock ADDED
@@ -0,0 +1,40 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ lookout-bcrypt (3.2.0)
5
+
6
+ GEM
7
+ remote: https://rubygems.org/
8
+ specs:
9
+ diff-lcs (1.2.5)
10
+ json (1.8.1)
11
+ json (1.8.1-java)
12
+ rake (10.1.0)
13
+ rake-compiler (0.9.2)
14
+ rake
15
+ rdoc (3.12.2)
16
+ json (~> 1.4)
17
+ rspec (3.0.0)
18
+ rspec-core (~> 3.0.0)
19
+ rspec-expectations (~> 3.0.0)
20
+ rspec-mocks (~> 3.0.0)
21
+ rspec-core (3.0.2)
22
+ rspec-support (~> 3.0.0)
23
+ rspec-expectations (3.0.2)
24
+ diff-lcs (>= 1.2.0, < 2.0)
25
+ rspec-support (~> 3.0.0)
26
+ rspec-mocks (3.0.2)
27
+ rspec-support (~> 3.0.0)
28
+ rspec-support (3.0.2)
29
+
30
+ PLATFORMS
31
+ java
32
+ ruby
33
+ x64-mingw32
34
+ x86-mingw32
35
+
36
+ DEPENDENCIES
37
+ lookout-bcrypt!
38
+ rake-compiler (~> 0.9.2)
39
+ rdoc (~> 3.12)
40
+ rspec (>= 3)
data/README.md ADDED
@@ -0,0 +1,203 @@
1
+ # bcrypt-ruby
2
+
3
+ An easy way to keep your users' passwords secure.
4
+
5
+ * http://github.com/codahale/bcrypt-ruby/tree/master
6
+
7
+ [![Build Status](https://travis-ci.org/codahale/bcrypt-ruby.png?branch=master)](https://travis-ci.org/codahale/bcrypt-ruby)
8
+
9
+ ## Why you should use `bcrypt()`
10
+
11
+ If you store user passwords in the clear, then an attacker who steals a copy of your database has a giant list of emails
12
+ and passwords. Some of your users will only have one password -- for their email account, for their banking account, for
13
+ your application. A simple hack could escalate into massive identity theft.
14
+
15
+ It's your responsibility as a web developer to make your web application secure -- blaming your users for not being
16
+ security experts is not a professional response to risk.
17
+
18
+ `bcrypt()` allows you to easily harden your application against these kinds of attacks.
19
+
20
+ *Note*: JRuby versions of the bcrypt gem `<= 2.1.3` had a [security
21
+ vulnerability](http://www.mindrot.org/files/jBCrypt/internat.adv) that
22
+ was fixed in `>= 2.1.4`. If you used a vulnerable version to hash
23
+ passwords with international characters in them, you will need to
24
+ re-hash those passwords. This vulnerability only affected the JRuby gem.
25
+
26
+ ## How to install bcrypt
27
+
28
+ gem install bcrypt
29
+
30
+ The bcrypt gem is available on the following ruby platforms:
31
+
32
+ * JRuby
33
+ * RubyInstaller 1.8, 1.9, 2.0, and 2.1 builds on win32
34
+ * Any 1.8, 1.9, 2.0, or 2.1 ruby on a BSD/OSX/Linux system with a compiler
35
+
36
+ ## How to use `bcrypt()` in your Rails application
37
+
38
+ *Note*: Rails versions >= 3 ship with `ActiveModel::SecurePassword` which uses bcrypt-ruby.
39
+ `has_secure_password` [docs](http://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
40
+ implements a similar authentication strategy to the code below.
41
+
42
+ ### The _User_ model
43
+
44
+ require 'bcrypt'
45
+
46
+ class User < ActiveRecord::Base
47
+ # users.password_hash in the database is a :string
48
+ include BCrypt
49
+
50
+ def password
51
+ @password ||= Password.new(password_hash)
52
+ end
53
+
54
+ def password=(new_password)
55
+ @password = Password.create(new_password)
56
+ self.password_hash = @password
57
+ end
58
+ end
59
+
60
+ ### Creating an account
61
+
62
+ def create
63
+ @user = User.new(params[:user])
64
+ @user.password = params[:password]
65
+ @user.save!
66
+ end
67
+
68
+ ### Authenticating a user
69
+
70
+ def login
71
+ @user = User.find_by_email(params[:email])
72
+ if @user.password == params[:password]
73
+ give_token
74
+ else
75
+ redirect_to home_url
76
+ end
77
+ end
78
+
79
+ ### If a user forgets their password?
80
+
81
+ # assign them a random one and mail it to them, asking them to change it
82
+ def forgot_password
83
+ @user = User.find_by_email(params[:email])
84
+ random_password = Array.new(10).map { (65 + rand(58)).chr }.join
85
+ @user.password = random_password
86
+ @user.save!
87
+ Mailer.create_and_deliver_password_change(@user, random_password)
88
+ end
89
+
90
+ ## How to use bcrypt-ruby in general
91
+
92
+ require 'bcrypt'
93
+
94
+ my_password = BCrypt::Password.create("my password")
95
+ #=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"
96
+
97
+ my_password.version #=> "2a"
98
+ my_password.cost #=> 10
99
+ my_password == "my password" #=> true
100
+ my_password == "not my password" #=> false
101
+
102
+ my_password = BCrypt::Password.new("$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa")
103
+ my_password == "my password" #=> true
104
+ my_password == "not my password" #=> false
105
+
106
+ Check the rdocs for more details -- BCrypt, BCrypt::Password.
107
+
108
+ ## How `bcrypt()` works
109
+
110
+ `bcrypt()` is a hashing algorithm designed by Niels Provos and David Mazières of the OpenBSD Project.
111
+
112
+ ### Background
113
+
114
+ Hash algorithms take a chunk of data (e.g., your user's password) and create a "digital fingerprint," or hash, of it.
115
+ Because this process is not reversible, there's no way to go from the hash back to the password.
116
+
117
+ In other words:
118
+
119
+ hash(p) #=> <unique gibberish>
120
+
121
+ You can store the hash and check it against a hash made of a potentially valid password:
122
+
123
+ <unique gibberish> =? hash(just_entered_password)
124
+
125
+ ### Rainbow Tables
126
+
127
+ But even this has weaknesses -- attackers can just run lists of possible passwords through the same algorithm, store the
128
+ results in a big database, and then look up the passwords by their hash:
129
+
130
+ PrecomputedPassword.find_by_hash(<unique gibberish>).password #=> "secret1"
131
+
132
+ ### Salts
133
+
134
+ The solution to this is to add a small chunk of random data -- called a salt -- to the password before it's hashed:
135
+
136
+ hash(salt + p) #=> <really unique gibberish>
137
+
138
+ The salt is then stored along with the hash in the database, and used to check potentially valid passwords:
139
+
140
+ <really unique gibberish> =? hash(salt + just_entered_password)
141
+
142
+ bcrypt-ruby automatically handles the storage and generation of these salts for you.
143
+
144
+ Adding a salt means that an attacker has to have a gigantic database for each unique salt -- for a salt made of 4
145
+ letters, that's 456,976 different databases. Pretty much no one has that much storage space, so attackers try a
146
+ different, slower method -- throw a list of potential passwords at each individual password:
147
+
148
+ hash(salt + "aadvark") =? <really unique gibberish>
149
+ hash(salt + "abacus") =? <really unique gibberish>
150
+ etc.
151
+
152
+ This is much slower than the big database approach, but most hash algorithms are pretty quick -- and therein lies the
153
+ problem. Hash algorithms aren't usually designed to be slow, they're designed to turn gigabytes of data into secure
154
+ fingerprints as quickly as possible. `bcrypt()`, though, is designed to be computationally expensive:
155
+
156
+ Ten thousand iterations:
157
+ user system total real
158
+ md5 0.070000 0.000000 0.070000 ( 0.070415)
159
+ bcrypt 22.230000 0.080000 22.310000 ( 22.493822)
160
+
161
+ If an attacker was using Ruby to check each password, they could check ~140,000 passwords a second with MD5 but only
162
+ ~450 passwords a second with `bcrypt()`.
163
+
164
+ ### Cost Factors
165
+
166
+ In addition, `bcrypt()` allows you to increase the amount of work required to hash a password as computers get faster. Old
167
+ passwords will still work fine, but new passwords can keep up with the times.
168
+
169
+ The default cost factor used by bcrypt-ruby is 10, which is fine for session-based authentication. If you are using a
170
+ stateless authentication architecture (e.g., HTTP Basic Auth), you will want to lower the cost factor to reduce your
171
+ server load and keep your request times down. This will lower the security provided you, but there are few alternatives.
172
+
173
+ To change the default cost factor used by bcrypt-ruby, use `BCrypt::Engine.cost = new_value`:
174
+
175
+ BCrypt::Password.create('secret').cost
176
+ #=> 10, the default provided by bcrypt-ruby
177
+
178
+ # set a new default cost
179
+ BCrypt::Engine.cost = 8
180
+ BCrypt::Password.create('secret').cost
181
+ #=> 8
182
+
183
+ The default cost can be overridden as needed by passing an options hash with a different cost:
184
+
185
+ BCrypt::Password.create('secret', :cost => 6).cost #=> 6
186
+
187
+ ## More Information
188
+
189
+ `bcrypt()` is currently used as the default password storage hash in OpenBSD, widely regarded as the most secure operating
190
+ system available.
191
+
192
+ For a more technical explanation of the algorithm and its design criteria, please read Niels Provos and David Mazières'
193
+ Usenix99 paper:
194
+ http://www.usenix.org/events/usenix99/provos.html
195
+
196
+ If you'd like more down-to-earth advice regarding cryptography, I suggest reading <i>Practical Cryptography</i> by Niels
197
+ Ferguson and Bruce Schneier:
198
+ http://www.schneier.com/book-practical.html
199
+
200
+ # Etc
201
+
202
+ * Author :: Coda Hale <coda.hale@gmail.com>
203
+ * Website :: http://blog.codahale.com
data/Rakefile ADDED
@@ -0,0 +1,93 @@
1
+ require 'rspec/core/rake_task'
2
+ require 'rubygems/package_task'
3
+ require 'rake/extensiontask'
4
+ require 'rake/javaextensiontask'
5
+ require 'rake/clean'
6
+ require 'rdoc/task'
7
+ require 'benchmark'
8
+
9
+ CLEAN.include(
10
+ "tmp",
11
+ "lib/1.8",
12
+ "lib/1.9",
13
+ "lib/2.0",
14
+ "lib/2.1",
15
+ "lib/bcrypt_ext.jar",
16
+ "lib/bcrypt_ext.so"
17
+ )
18
+ CLOBBER.include(
19
+ "doc",
20
+ "pkg"
21
+ )
22
+
23
+ GEMSPEC = Gem::Specification.load("bcrypt.gemspec")
24
+
25
+ task :default => [:compile, :spec]
26
+
27
+ desc "Run all specs"
28
+ RSpec::Core::RakeTask.new do |t|
29
+ t.pattern = 'spec/**/*_spec.rb'
30
+ t.ruby_opts = '-w'
31
+ end
32
+
33
+ desc "Run all specs, with coverage testing"
34
+ RSpec::Core::RakeTask.new(:rcov) do |t|
35
+ t.pattern = 'spec/**/*_spec.rb'
36
+ t.rcov = true
37
+ t.rcov_path = 'doc/coverage'
38
+ t.rcov_opts = ['--exclude', 'rspec,diff-lcs,rcov,_spec,_helper']
39
+ end
40
+
41
+ desc 'Generate RDoc'
42
+ RDoc::Task.new do |rdoc|
43
+ rdoc.rdoc_dir = 'doc/rdoc'
44
+ rdoc.options += GEMSPEC.rdoc_options
45
+ rdoc.template = ENV['TEMPLATE'] if ENV['TEMPLATE']
46
+ rdoc.rdoc_files.include(*GEMSPEC.extra_rdoc_files)
47
+ end
48
+
49
+ Gem::PackageTask.new(GEMSPEC) do |pkg|
50
+ pkg.need_zip = true
51
+ pkg.need_tar = true
52
+ end
53
+
54
+ if RUBY_PLATFORM =~ /java/
55
+ Rake::JavaExtensionTask.new('bcrypt_ext', GEMSPEC) do |ext|
56
+ ext.ext_dir = 'ext/jruby'
57
+ end
58
+ else
59
+ Rake::ExtensionTask.new("bcrypt_ext", GEMSPEC) do |ext|
60
+ ext.ext_dir = 'ext/mri'
61
+ ext.cross_compile = true
62
+ ext.cross_platform = ['x86-mingw32', 'x64-mingw32']
63
+ end
64
+
65
+ ENV['RUBY_CC_VERSION'].to_s.split(':').each do |ruby_version|
66
+ platforms = {
67
+ "x86-mingw32" => "i686-w64-mingw32",
68
+ "x64-mingw32" => "x86_64-w64-mingw32"
69
+ }
70
+ platforms.each do |platform, prefix|
71
+ task "copy:bcrypt_ext:#{platform}:#{ruby_version}" do |t|
72
+ %w[lib tmp/#{platform}/stage/lib].each do |dir|
73
+ so_file = "#{dir}/#{ruby_version[/^\d+\.\d+/]}/bcrypt_ext.so"
74
+ if File.exists?(so_file)
75
+ sh "#{prefix}-strip -S #{so_file}"
76
+ end
77
+ end
78
+ end
79
+ end
80
+ end
81
+ end
82
+
83
+ desc "Run a set of benchmarks on the compiled extension."
84
+ task :benchmark do
85
+ TESTS = 100
86
+ TEST_PWD = "this is a test"
87
+ require File.expand_path(File.join(File.dirname(__FILE__), "lib", "bcrypt"))
88
+ Benchmark.bmbm do |results|
89
+ 4.upto(10) do |n|
90
+ results.report("cost #{n}:") { TESTS.times { BCrypt::Password.create(TEST_PWD, :cost => n) } }
91
+ end
92
+ end
93
+ end
data/bcrypt.gemspec ADDED
@@ -0,0 +1,29 @@
1
+ Gem::Specification.new do |s|
2
+ s.name = 'lookout-bcrypt'
3
+ s.version = '3.2.0'
4
+
5
+ s.summary = "OpenBSD's bcrypt() password hashing algorithm."
6
+ s.description = <<-EOF
7
+ bcrypt() is a sophisticated and secure hash algorithm designed by The OpenBSD project
8
+ for hashing passwords. The bcrypt Ruby gem provides a simple wrapper for safely handling
9
+ passwords.
10
+ EOF
11
+
12
+ s.files = `git ls-files`.split("\n")
13
+ s.require_path = 'lib'
14
+
15
+ s.add_development_dependency 'rake-compiler', '~> 0.9.2'
16
+ s.add_development_dependency 'rspec', '>= 3'
17
+ s.add_development_dependency 'rdoc', '~> 3.12'
18
+
19
+ s.has_rdoc = true
20
+ s.rdoc_options += ['--title', 'bcrypt-ruby', '--line-numbers', '--inline-source', '--main', 'README.md']
21
+ s.extra_rdoc_files += ['README.md', 'COPYING', 'CHANGELOG', *Dir['lib/**/*.rb']]
22
+
23
+ s.extensions = 'ext/mri/extconf.rb'
24
+
25
+ s.authors = ["Coda Hale", "Ariel Salomon"]
26
+ s.email = "ariel.salomon@gmail.com"
27
+ s.homepage = "https://github.com/Oscil8/bcrypt-ruby"
28
+ s.license = "MIT"
29
+ end