Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rubygem-bcrypt for openSUSE:Factory checked in at 2022-04-30 22:52:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-bcrypt (Old) and /work/SRC/openSUSE:Factory/.rubygem-bcrypt.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-bcrypt" Sat Apr 30 22:52:24 2022 rev:12 rq:974044 version:3.1.17 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-bcrypt/rubygem-bcrypt.changes 2020-09-14 12:31:58.073237907 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-bcrypt.new.1538/rubygem-bcrypt.changes 2022-04-30 22:52:31.980223860 +0200 @@ -1,0 +2,12 @@ +Thu Apr 28 05:21:52 UTC 2022 - Stephan Kulow <[email protected]> + +updated to version 3.1.17 + see installed CHANGELOG + + 3.1.17 Mar 14 2022 + - Fix regex in validators to use \A and \z instead of ^ and $ [GH #121] + - Truncate secrets greater than 72 bytes in hash_secret [GH #255] + - Assorted test and doc improvements + + +------------------------------------------------------------------- Old: ---- bcrypt-3.1.16.gem New: ---- bcrypt-3.1.17.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-bcrypt.spec ++++++ --- /var/tmp/diff_new_pack.7etsV6/_old 2022-04-30 22:52:32.492224553 +0200 +++ /var/tmp/diff_new_pack.7etsV6/_new 2022-04-30 22:52:32.496224558 +0200 @@ -1,7 +1,7 @@ # # spec file for package rubygem-bcrypt # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ # Name: rubygem-bcrypt -Version: 3.1.16 +Version: 3.1.17 Release: 0 %define mod_name bcrypt %define mod_full_name %{mod_name}-%{version} @@ -33,7 +33,7 @@ BuildRequires: %{rubygem gem2rpm} BuildRequires: %{rubygem rdoc > 3.10} BuildRequires: ruby-macros >= 5 -URL: https://github.com/codahale/bcrypt-ruby +URL: https://github.com/bcrypt-ruby/bcrypt-ruby Source: https://rubygems.org/gems/%{mod_full_name}.gem Source1: rubygem-bcrypt-rpmlintrc Source2: gem2rpm.yml ++++++ bcrypt-3.1.16.gem -> bcrypt-3.1.17.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.github/workflows/ruby.yml new/.github/workflows/ruby.yml --- old/.github/workflows/ruby.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/.github/workflows/ruby.yml 2022-03-14 20:16:53.000000000 +0100 @@ -0,0 +1,57 @@ +name: Test Suite + +# Run against all commits and pull requests. +on: [ push, pull_request ] + +jobs: + test_matrix: + + strategy: + fail-fast: false + matrix: + os: + - ubuntu + - macos + - windows + ruby: + - 2.1 + - 2.2 + - 2.3 + - 2.4 + - 2.5 + - 2.6 + - 2.7 + - '3.0' + - 3.1 + - head + - jruby + - jruby-head + - truffleruby + - truffleruby-head + - mingw + exclude: + - { os: ubuntu, ruby: jruby } + - { os: ubuntu, ruby: jruby-head } + - { os: ubuntu, ruby: mingw } + - { os: macos, ruby: mingw } + - { os: windows, ruby: truffleruby } + - { os: windows, ruby: truffleruby-head } + + runs-on: ${{ matrix.os }}-latest + + steps: + - uses: actions/checkout@v2 + - name: Set up Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: ${{ matrix.ruby }} + bundler-cache: true + - name: Run tests + run: bundle exec rake default + + finish: + runs-on: ubuntu-latest + needs: [ test_matrix ] + steps: + - name: Wait for status checks + run: echo "All Green!" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 2020-09-03 22:47:23.000000000 +0200 +++ new/.gitignore 2022-03-14 20:16:53.000000000 +0100 @@ -7,3 +7,4 @@ *.jar .DS_Store .rbenv-gemsets +Gemfile.lock diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.travis.yml new/.travis.yml --- old/.travis.yml 2020-09-03 22:47:23.000000000 +0200 +++ new/.travis.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,22 +0,0 @@ -language: ruby -before_install: - - "echo 'gem: --no-rdoc --no-ri' > ~/.gemrc" -rvm: - - 2.0 - - 2.1 - - 2.2 - - 2.3 - - 2.4 - - 2.5 - - 2.6 - - 2.7 - - ruby-head - - jruby-head - - rbx-3 -matrix: - allow_failures: - - rvm: ruby-head - - rvm: jruby-head - - rvm: rbx-3 - fast_finish: true -script: bundle exec rake diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG new/CHANGELOG --- old/CHANGELOG 2020-09-03 22:47:23.000000000 +0200 +++ new/CHANGELOG 2022-03-14 20:16:53.000000000 +0100 @@ -1,3 +1,8 @@ +3.1.17 Mar 14 2022 +- Fix regex in validators to use \A and \z instead of ^ and $ [GH #121] +- Truncate secrets greater than 72 bytes in hash_secret [GH #255] +- Assorted test and doc improvements + 3.1.16 Sep 3 2020 - Fix compilation on FreeBSD. [GH #234] @@ -16,7 +21,7 @@ 3.1.12 May 16 2018 - Add support for Ruby 2.3, 2.4, and 2.5 in compiled Windows binaries - - Fix compatibility with libxcrypt [GH #164 by @besser82] + - Fix compatibility with libxcrypt - Fixes hash errors in Fedora 28 and Ubuntu 20 [GH #164 by @besser82] 3.1.11 Mar 06 2016 - Add support for Ruby 2.2 in compiled Windows binaries diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/README.md new/README.md --- old/README.md 2020-09-03 22:47:23.000000000 +0200 +++ new/README.md 2022-03-14 20:16:53.000000000 +0100 @@ -2,12 +2,11 @@ An easy way to keep your users' passwords secure. -* https://github.com/codahale/bcrypt-ruby/tree/master +* https://github.com/bcrypt-ruby/bcrypt-ruby/tree/master -[](https://travis-ci.org/codahale/bcrypt-ruby) +[](https://github.com/bcrypt-ruby/bcrypt-ruby/actions/workflows/ruby.yml) [](https://ci.appveyor.com/project/TJSchuck35975/bcrypt-ruby) - ## Why you should use `bcrypt()` If you store user passwords in the clear, then an attacker who steals a copy of your database has a giant list of emails @@ -32,8 +31,8 @@ The bcrypt gem is available on the following Ruby platforms: * JRuby -* RubyInstaller 2.0 ??? 2.5 builds on Windows with the DevKit -* Any 2.0 ??? 2.5 Ruby on a BSD/OS X/Linux system with a compiler +* RubyInstaller 2.0 ??? 3.0 builds on Windows with the DevKit +* Any 2.0 ??? 3.0 Ruby on a BSD/OS X/Linux system with a compiler ## How to use `bcrypt()` in your Rails application diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bcrypt.gemspec new/bcrypt.gemspec --- old/bcrypt.gemspec 2020-09-03 22:47:23.000000000 +0200 +++ new/bcrypt.gemspec 2022-03-14 20:16:53.000000000 +0100 @@ -1,6 +1,6 @@ Gem::Specification.new do |s| s.name = 'bcrypt' - s.version = '3.1.16' + s.version = '3.1.17' s.summary = "OpenBSD's bcrypt() password hashing algorithm." s.description = <<-EOF @@ -22,6 +22,6 @@ s.authors = ["Coda Hale"] s.email = "[email protected]" - s.homepage = "https://github.com/codahale/bcrypt-ruby"; + s.homepage = "https://github.com/bcrypt-ruby/bcrypt-ruby"; s.license = "MIT" end Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/bcrypt/engine.rb new/lib/bcrypt/engine.rb --- old/lib/bcrypt/engine.rb 2020-09-03 22:47:23.000000000 +0200 +++ new/lib/bcrypt/engine.rb 2022-03-14 20:16:53.000000000 +0100 @@ -7,6 +7,14 @@ MIN_COST = 4 # The maximum cost supported by the algorithm. MAX_COST = 31 + # Maximum possible size of bcrypt() secrets. + # Older versions of the bcrypt library would truncate passwords longer + # than 72 bytes, but newer ones do not. We truncate like the old library for + # forward compatibility. This way users upgrading from Ubuntu 18.04 to 20.04 + # will not have their user passwords invalidated, for example. + # A max secret length greater than 255 leads to bcrypt returning nil. + # https://github.com/bcrypt-ruby/bcrypt-ruby/issues/225#issuecomment-875908425 + MAX_SECRET_BYTESIZE = 72 # Maximum possible size of bcrypt() salts. MAX_SALT_LENGTH = 16 @@ -43,14 +51,16 @@ end # Given a secret and a valid salt (see BCrypt::Engine.generate_salt) calculates - # a bcrypt() password hash. + # a bcrypt() password hash. Secrets longer than 72 bytes are truncated. def self.hash_secret(secret, salt, _ = nil) if valid_secret?(secret) if valid_salt?(salt) if RUBY_PLATFORM == "java" Java.bcrypt_jruby.BCrypt.hashpw(secret.to_s.to_java_bytes, salt.to_s) else - __bc_crypt(secret.to_s, salt) + secret = secret.to_s + secret = secret.byteslice(0, MAX_SECRET_BYTESIZE) if secret && secret.bytesize > MAX_SECRET_BYTESIZE + __bc_crypt(secret, salt) end else raise Errors::InvalidSalt.new("invalid salt") @@ -70,8 +80,7 @@ if RUBY_PLATFORM == "java" Java.bcrypt_jruby.BCrypt.gensalt(cost) else - prefix = "$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW" - __bc_salt(prefix, cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH)) + __bc_salt("$2a$", cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH)) end else raise Errors::InvalidCost.new("cost must be numeric and > 0") @@ -80,7 +89,7 @@ # Returns true if +salt+ is a valid bcrypt() salt, false if not. def self.valid_salt?(salt) - !!(salt =~ /^\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}$/) + !!(salt =~ /\A\$[0-9a-z]{2,}\$[0-9]{2,}\$[A-Za-z0-9\.\/]{22,}\z/) end # Returns true if +secret+ is a valid bcrypt() secret, false if not. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/bcrypt/password.rb new/lib/bcrypt/password.rb --- old/lib/bcrypt/password.rb 2020-09-03 22:47:23.000000000 +0200 +++ new/lib/bcrypt/password.rb 2022-03-14 20:16:53.000000000 +0100 @@ -47,7 +47,7 @@ end def valid_hash?(h) - /^\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}$/ === h + /\A\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}\z/ === h end end @@ -62,6 +62,17 @@ end # Compares a potential secret against the hash. Returns true if the secret is the original secret, false otherwise. + # + # Comparison edge case/gotcha: + # + # secret = "my secret" + # @password = BCrypt::Password.create(secret) + # + # @password == secret # => True + # @password == @password # => False + # @password == @password.to_s # => False + # @password.to_s == @password # => True + # @password.to_s == @password.to_s # => True def ==(secret) super(BCrypt::Engine.hash_secret(secret, @salt)) end @@ -83,5 +94,4 @@ return v.to_str, c.to_i, h[0, 29].to_str, mash[-31, 31].to_str end end - end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2020-09-03 22:47:23.000000000 +0200 +++ new/metadata 2022-03-14 20:16:53.000000000 +0100 @@ -1,22 +1,22 @@ --- !ruby/object:Gem::Specification name: bcrypt version: !ruby/object:Gem::Version - version: 3.1.16 + version: 3.1.17 platform: ruby authors: - Coda Hale -autorequire: +autorequire: bindir: bin cert_chain: [] -date: 2020-09-03 00:00:00.000000000 Z +date: 2022-03-14 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency + name: rake-compiler requirement: !ruby/object:Gem::Requirement requirements: - - "~>" - !ruby/object:Gem::Version version: 0.9.2 - name: rake-compiler type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement @@ -25,12 +25,12 @@ - !ruby/object:Gem::Version version: 0.9.2 - !ruby/object:Gem::Dependency + name: rspec requirement: !ruby/object:Gem::Requirement requirements: - - ">=" - !ruby/object:Gem::Version version: '3' - name: rspec type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement @@ -50,14 +50,14 @@ - README.md - COPYING - CHANGELOG -- lib/bcrypt.rb - lib/bcrypt/password.rb - lib/bcrypt/engine.rb - lib/bcrypt/error.rb +- lib/bcrypt.rb files: +- ".github/workflows/ruby.yml" - ".gitignore" - ".rspec" -- ".travis.yml" - CHANGELOG - COPYING - Gemfile @@ -86,11 +86,11 @@ - spec/bcrypt/error_spec.rb - spec/bcrypt/password_spec.rb - spec/spec_helper.rb -homepage: https://github.com/codahale/bcrypt-ruby +homepage: https://github.com/bcrypt-ruby/bcrypt-ruby licenses: - MIT metadata: {} -post_install_message: +post_install_message: rdoc_options: - "--title" - bcrypt-ruby @@ -111,8 +111,8 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.0.6 -signing_key: +rubygems_version: 3.1.4 +signing_key: specification_version: 4 summary: OpenBSD's bcrypt() password hashing algorithm. test_files: [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spec/bcrypt/engine_spec.rb new/spec/bcrypt/engine_spec.rb --- old/spec/bcrypt/engine_spec.rb 2020-09-03 22:47:23.000000000 +0200 +++ new/spec/bcrypt/engine_spec.rb 2022-03-14 20:16:53.000000000 +0100 @@ -1,4 +1,5 @@ require File.expand_path(File.join(File.dirname(__FILE__), "..", "spec_helper")) +require 'securerandom' describe 'BCrypt::Engine' do describe '.calibrate(upper_time_limit_in_ms)' do @@ -12,8 +13,11 @@ describe "The BCrypt engine" do specify "should calculate the optimal cost factor to fit in a specific time" do - first = BCrypt::Engine.calibrate(100) - second = BCrypt::Engine.calibrate(400) + start_time = Time.now + BCrypt::Password.create("testing testing", :cost => BCrypt::Engine::MIN_COST + 1) + min_time_ms = (Time.now - start_time) * 1000 + first = BCrypt::Engine.calibrate(min_time_ms) + second = BCrypt::Engine.calibrate(min_time_ms * 4) expect(second).to be > first end end @@ -154,4 +158,19 @@ expect(BCrypt::Engine.hash_secret(secret, salt)).to eql(test_vector) end end + + specify "should truncate long 1-byte character secrets to 72 bytes" do + # 'b' as a base triggers the failure at 256 characters, but 'a' does not. + too_long_secret = 'b'*(BCrypt::Engine::MAX_SECRET_BYTESIZE + 1) + just_right_secret = 'b'*BCrypt::Engine::MAX_SECRET_BYTESIZE + expect(BCrypt::Engine.hash_secret(too_long_secret, @salt)).to eq(BCrypt::Engine.hash_secret(just_right_secret, @salt)) + end + + specify "should truncate long multi-byte character secrets to 72 bytes" do + # 256 times causes bcrypt to return nil for libxcrypt > 4.4.18-4. + too_long_secret = '????'*256 + # ???? takes 4 bytes in UTF-8. 18 times is 72 bytes + just_right_secret = '????'*18 + expect(BCrypt::Engine.hash_secret(too_long_secret, @salt)).to eq(BCrypt::Engine.hash_secret(just_right_secret, @salt)) + end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spec/bcrypt/password_spec.rb new/spec/bcrypt/password_spec.rb --- old/spec/bcrypt/password_spec.rb 2020-09-03 22:47:23.000000000 +0200 +++ new/spec/bcrypt/password_spec.rb 2022-03-14 20:16:53.000000000 +0100 @@ -1,4 +1,5 @@ require File.expand_path(File.join(File.dirname(__FILE__), "..", "spec_helper")) +require 'securerandom' describe "Creating a hashed password" do @@ -26,6 +27,10 @@ expect { BCrypt::Password.create( "" ) }.not_to raise_error expect { BCrypt::Password.create( String.new ) }.not_to raise_error end + + specify "should tolerate very long string secrets" do + expect { BCrypt::Password.create("abcd"*1024) }.not_to raise_error + end end describe "Reading a hashed password" do @@ -108,6 +113,7 @@ describe "Validating a generated salt" do specify "should not accept an invalid salt" do expect(BCrypt::Engine.valid_salt?("invalid")).to eq(false) + expect(BCrypt::Engine.valid_salt?("invalid\n#{BCrypt::Engine.generate_salt}\ninvalid")).to eq(false) end specify "should accept a valid salt" do expect(BCrypt::Engine.valid_salt?(BCrypt::Engine.generate_salt)).to eq(true) @@ -117,6 +123,7 @@ describe "Validating a password hash" do specify "should not accept an invalid password" do expect(BCrypt::Password.valid_hash?("i_am_so_not_valid")).to be(false) + expect(BCrypt::Password.valid_hash?("invalid\n#{BCrypt::Password.create "i_am_so_valid"}\ninvalid")).to be(false) end specify "should accept a valid password" do expect(BCrypt::Password.valid_hash?(BCrypt::Password.create "i_am_so_valid")).to be(true)
