RubyGems - argon2id - Versions diffs - 0.1.1-x86-mingw32 → 0.1.2-x86-mingw32 - Mend

argon2id 0.1.1-x86-mingw32 → 0.1.2-x86-mingw32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d9b500cb0b22b703fd37b1946a1d8166f5dad956418b050f81e0bad239056b4
-  data.tar.gz: 9cd6cd69e7ee71ad97fcc2164e2a7fdbd9536339b05170c1824a13c7e2abf0d7
+  metadata.gz: c01b0920e8bed54d8ce210e028fa2b5c82a42c32bcb235e0af654c0c23d99efd
+  data.tar.gz: 87b417f6f199902d48dce230c0c30bc6981db3baf8856925b419602f7a416095
 SHA512:
-  metadata.gz: 4c822ad2b8657e13e88457cc3e07e944ec3a92a7cdf82b709895259f53f08286c7206d407789ad83502d708d2c3ee8e59648f74fe5a6cf5929178c4f0cbd7bd6
-  data.tar.gz: 477a63c8fb3b55f8caebba8be9a1462eda39abbad05da254dffc41127009cacfa7cee0443c77da88d6e79d5bf15bb6527e261d19520261c404e8ff2a3272cead
+  metadata.gz: 29ce5a378053ed8d6f0c16b5611bf45c12b3260dba04c48d67b761654d0678522d83377bb979bf50bc6a632c5c4aaafe09752ad9acb473f7aca508b31c4e3f6a
+  data.tar.gz: 6793c6b841e0e26a599eef2f55aa38c6e170c477547d0e74a2fa5f0d78096e11e03ea0bf597d38e21e36fc30e99c3309046134bdc4070940493f78780a348b4d

data/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.1.2] - 2024-11-01
+### Fixed
+- Validate that the encoded hash passed to Argon2id::Password.new is a
+  null-terminated C string, raising an ArgumentError if it contains extra null
+  bytes
 ## [0.1.1] - 2024-11-01
 ### Added
@@ -24,5 +32,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   reference C implementation of Argon2, the password-hashing function that won
   the Password Hashing Competition.
+[0.1.2]: https://github.com/mudge/argon2id/releases/tag/v0.1.2
 [0.1.1]: https://github.com/mudge/argon2id/releases/tag/v0.1.1
 [0.1.0]: https://github.com/mudge/argon2id/releases/tag/v0.1.0

data/README.md CHANGED Viewed

@@ -5,7 +5,7 @@ function that won the 2015 [Password Hashing Competition][].
 [![Build Status](https://github.com/mudge/argon2id/actions/workflows/tests.yml/badge.svg?branch=main)](https://github.com/mudge/argon2id/actions)
-**Current version:** 0.1.1
+**Current version:** 0.1.2
 **Bundled Argon2 version:** libargon2.1 (20190702)
 ```ruby
@@ -176,11 +176,11 @@ notes](https://github.com/mudge/argon2id/releases) for each version and can be
 checked with `sha256sum`, e.g.
 ```console
-$ gem fetch argon2id -v 0.1.0
-Fetching argon2id-0.1.0-arm64-darwin.gem
-Downloaded argon2id-0.1.0-arm64-darwin
-$ sha256sum argon2id-0.1.0-arm64-darwin.gem
-652ba4ebe4176c3fa944652b5db3bee52670c1e6b76632f921dd1455ec0810aa  argon2id-0.1.0-arm64-darwin.gem
+$ gem fetch argon2id -v 0.1.1
+Fetching argon2id-0.1.1-arm64-darwin.gem
+Downloaded argon2id-0.1.1-arm64-darwin
+$ sha256sum argon2id-0.1.1-arm64-darwin.gem
+8d47464edf847ca52c1d41cac1a9feff376e9a1e7c0a98ab58df846990caa1bb  argon2id-0.1.1-arm64-darwin.gem
 ```
 [GPG](https://www.gnupg.org/) signatures are attached to each release (the
@@ -190,8 +190,8 @@ from a public keyserver, e.g. `gpg --keyserver keyserver.ubuntu.com --recv-key
 0x39AC3530070E0F75`):
 ```console
-$ gpg --verify argon2id-0.1.0-arm64-darwin.gem.sig argon2id-0.1.0-arm64-darwin.gem
-gpg: Signature made Thu 31 Oct 16:09:45 2024 GMT
+$ gpg --verify argon2id-0.1.1-arm64-darwin.gem.sig argon2id-0.1.1-arm64-darwin.gem
+gpg: Signature made Fri  1 Nov 07:24:16 2024 GMT
 gpg:                using RSA key 702609D9C790F45B577D7BEC39AC3530070E0F75
 gpg: Good signature from "Paul Mucur <mudge@mudge.name>" [unknown]
 gpg:                 aka "Paul Mucur <paul@ghostcassette.com>" [unknown]

data/ext/argon2id/argon2id.c CHANGED Viewed

@@ -7,7 +7,7 @@
 VALUE mArgon2id, cArgon2idError;
-/* call-seq: Argon2id.hash_encode(t_cost, m_cost, parallelism, pwd, salt, output_len)
+/* call-seq: hash_encoded(t_cost, m_cost, parallelism, pwd, salt, output_len)
  *
  * Hashes a password with Argon2id, producing an encoded hash.
  *
@@ -53,7 +53,7 @@ rb_argon2id_hash_encoded(VALUE module, VALUE iterations, VALUE memory, VALUE thr
   return hash;
 }
-/* call-seq: Argon2id.verify(encoded, pwd)
+/* call-seq: verify(encoded, pwd)
  *
  * Verifies a password against an encoded string.
  */
@@ -63,7 +63,7 @@ rb_argon2id_verify(VALUE module, VALUE encoded, VALUE pwd) {
   UNUSED(module);
-  result = argon2id_verify(StringValuePtr(encoded), StringValuePtr(pwd), RSTRING_LEN(pwd));
+  result = argon2id_verify(StringValueCStr(encoded), StringValuePtr(pwd), RSTRING_LEN(pwd));
   if (result == ARGON2_OK) {
     return Qtrue;
   }

data/lib/2.6/argon2id.so CHANGED Viewed

Binary file

data/lib/2.7/argon2id.so CHANGED Viewed

Binary file

data/lib/3.0/argon2id.so CHANGED Viewed

Binary file

data/lib/3.1/argon2id.so CHANGED Viewed

Binary file

data/lib/3.2/argon2id.so CHANGED Viewed

Binary file

data/lib/3.3/argon2id.so CHANGED Viewed

Binary file

data/lib/argon2id/password.rb CHANGED Viewed

@@ -17,15 +17,28 @@ module Argon2id
   #   password == "password"
   #   #=> true
   class Password
+    # The encoded password hash.
     attr_reader :encoded
-    # Create a new Password object that hashes a given plain text password.
+    # Create a new Password object that hashes a given plain text password +pwd+.
     #
     # - +:t_cost+: integer (default 2) the "time cost" given as a number of iterations
     # - +:m_cost+: integer (default 19456) the "memory cost" given in kibibytes
     # - +:parallelism+: integer (default 1) the number of threads and compute lanes to use
     # - +:salt_len+: integer (default 16) the salt size in bytes
     # - +:output_len+: integer (default 32) the desired length of the hash in bytes
+    #
+    # For example, with the default configuration:
+    #
+    #   password = Argon2id::Password.create("password")
+    #   password.to_s
+    #   #=> "$argon2id$v=19$m=19456,t=2,p=1$FI8yp1gXbthJCskBlpKPoQ$nOfCCpS2r+I8GRN71cZND4cskn7YKBNzuHUEO3YpY2s"
+    #
+    # When overriding the configuration:
+    #
+    #   password = Argon2id::Password.create("password", t_cost: 3, m_cost: 12288)
+    #   password.to_s
+    #   #=> "$argon2id$v=19$m=12288,t=3,p=1$JigW7fFn+N3NImt+aWpuzw$eM5F1cKeIBALNTU6LuWra75Zi2nymGvQLWzJzVFv0Nc"
     def self.create(pwd, t_cost: Argon2id.t_cost, m_cost: Argon2id.m_cost, parallelism: Argon2id.parallelism, salt_len: Argon2id.salt_len, output_len: Argon2id.output_len)
       new(
         Argon2id.hash_encoded(
@@ -42,6 +55,8 @@ module Argon2id
     # call-seq: Argon2id::Password.new(encoded)
     #
     # Create a new Password with the given encoded password hash.
+    #
+    #   password = Argon2id::Password.new("$argon2id$v=19$m=19456,t=2,p=1$FI8yp1gXbthJCskBlpKPoQ$nOfCCpS2r+I8GRN71cZND4cskn7YKBNzuHUEO3YpY2s")
     def initialize(encoded)
       @encoded = encoded
     end
@@ -53,6 +68,10 @@ module Argon2id
     # Compare the password with given plain text, returning true if it verifies
     # successfully.
+    #
+    #   password = Argon2id::Password.new("$argon2id$v=19$m=19456,t=2,p=1$FI8yp1gXbthJCskBlpKPoQ$nOfCCpS2r+I8GRN71cZND4cskn7YKBNzuHUEO3YpY2s")
+    #   password == "password"    #=> true
+    #   password == "notpassword" #=> false
     def ==(other)
       Argon2id.verify(encoded, String(other))
     end

data/lib/argon2id/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Argon2id
-  VERSION = "0.1.1"
+  VERSION = "0.1.2"
 end

data/lib/argon2id.rb CHANGED Viewed

@@ -11,10 +11,19 @@ require "argon2id/version"
 require "argon2id/password"
 module Argon2id
+  # The default "time cost" of 2 iterations recommended by OWASP.
   DEFAULT_T_COST = 2
+  # The default "memory cost" of 19 mebibytes recommended by OWASP.
   DEFAULT_M_COST = 19456
+  # The default 1 thread and compute lane recommended by OWASP.
   DEFAULT_PARALLELISM = 1
+  # The default salt length of 16 bytes.
   DEFAULT_SALT_LEN = 16
+  # The default desired hash length of 32 bytes.
   DEFAULT_OUTPUT_LEN = 32
   @t_cost = DEFAULT_T_COST

data/test/test_verify.rb CHANGED Viewed

@@ -5,15 +5,17 @@ require "argon2id"
 class TestVerify < Minitest::Test
   def test_returns_true_with_correct_password
-    encoded = Argon2id.hash_encoded(2, 256, 1, "password", "somesalt", 32)
-    assert Argon2id.verify(encoded, "password")
+    assert Argon2id.verify(
+      "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4",
+      "password"
+    )
   end
   def test_returns_false_with_incorrect_password
-    encoded = Argon2id.hash_encoded(2, 256, 1, "password", "somesalt", 32)
-    refute Argon2id.verify(encoded, "notopensesame")
+    refute Argon2id.verify(
+      "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4",
+      "not password"
+    )
   end
   def test_raises_if_given_invalid_encoded
@@ -21,4 +23,13 @@ class TestVerify < Minitest::Test
       Argon2id.verify("", "opensesame")
     end
   end
+  def test_raises_if_given_encoded_with_null_byte
+    assert_raises(ArgumentError) do
+      Argon2id.verify(
+        "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4\x00foo",
+        "password"
+      )
+    end
+  end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: argon2id
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: x86-mingw32
 authors:
 - Paul Mucur