argon2id 0.1.1-x86-mingw32 → 0.2.0-x86-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d9b500cb0b22b703fd37b1946a1d8166f5dad956418b050f81e0bad239056b4
-  data.tar.gz: 9cd6cd69e7ee71ad97fcc2164e2a7fdbd9536339b05170c1824a13c7e2abf0d7
+  metadata.gz: 44df0630f5d898e8bdf9a46d34702349e96bf4a6a5a2605abd32f670b8dfa37b
+  data.tar.gz: 42d7ee3c98cb7f977e2118fb3286f1eb60348761937b14c2cfc1db727bcea457
 SHA512:
-  metadata.gz: 4c822ad2b8657e13e88457cc3e07e944ec3a92a7cdf82b709895259f53f08286c7206d407789ad83502d708d2c3ee8e59648f74fe5a6cf5929178c4f0cbd7bd6
-  data.tar.gz: 477a63c8fb3b55f8caebba8be9a1462eda39abbad05da254dffc41127009cacfa7cee0443c77da88d6e79d5bf15bb6527e261d19520261c404e8ff2a3272cead
+  metadata.gz: 01e693291c08214d7f9fc29f1113344790891c8288ccbf141eab9e7bb2c2fb755dc021349d4efbe1c3a428635f77930ee7fcdcbf5f064601903ceec1f6916afc
+  data.tar.gz: 2827be0e4a329ada3a68bf3522f75a328a294b02cf88cd9e2ff1437f80bceb025dfe1694e943739bd7e88b1d0e6fbc572fca0b78a0ced1aa06aeac841af1af06

data/CHANGELOG.md

@@ -5,6 +5,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.2] - 2024-11-01
+
+### Added
+
+- The original salt for an `Argon2id::Password` can now be retrieved with
+  `Argon2id::Password#salt`
+
+### Changed
+
+- Encoded hashes are now validated when initialising an `Argon2id::Password`,
+  raising an `ArgumentError` if they are invalid
+
+## [0.1.2] - 2024-11-01
+
+### Fixed
+
+- Validate that the encoded hash passed to `Argon2id::Password.new` is a
+  null-terminated C string, raising an `ArgumentError` if it contains extra null
+  bytes
+
 ## [0.1.1] - 2024-11-01
 
 ### Added
@@ -24,5 +44,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   reference C implementation of Argon2, the password-hashing function that won
   the Password Hashing Competition.
 
+[0.2.0]: https://github.com/mudge/argon2id/releases/tag/v0.2.0
+[0.1.2]: https://github.com/mudge/argon2id/releases/tag/v0.1.2
 [0.1.1]: https://github.com/mudge/argon2id/releases/tag/v0.1.1
 [0.1.0]: https://github.com/mudge/argon2id/releases/tag/v0.1.0

data/README.md

@@ -5,17 +5,17 @@ function that won the 2015 [Password Hashing Competition][].
 
 [![Build Status](https://github.com/mudge/argon2id/actions/workflows/tests.yml/badge.svg?branch=main)](https://github.com/mudge/argon2id/actions)
 
-**Current version:** 0.1.1  
+**Current version:** 0.2.0  
 **Bundled Argon2 version:** libargon2.1 (20190702)
 
 ```ruby
-Argon2::Password.create("opensesame").to_s
+Argon2id::Password.create("opensesame").to_s
 #=> "$argon2id$v=19$m=19456,t=2,p=1$ZS2nBFWBpnt28HjtzNOW4w$SQ+p+dIcWbpzWpZQ/ZZFj8IQkyhYZf127U4QdkRmKFU"
 
-Argon2::Password.create("opensesame") == "opensesame"
+Argon2id::Password.create("opensesame") == "opensesame"
 #=> true
 
-Argon2::Password.new("$argon2id$v=19$m=19456,t=2,p=1$ZS2nBFWBpnt28HjtzNOW4w$SQ+p+dIcWbpzWpZQ/ZZFj8IQkyhYZf127U4QdkRmKFU") == "opensesame"
+Argon2id::Password.new("$argon2id$v=19$m=19456,t=2,p=1$ZS2nBFWBpnt28HjtzNOW4w$SQ+p+dIcWbpzWpZQ/ZZFj8IQkyhYZf127U4QdkRmKFU") == "opensesame"
 #=> true
 ```
 
@@ -142,6 +142,14 @@ password.is_password?("opensesame")    #=> true
 password.is_password?("notopensesame") #=> false
 ```
 
+The original salt for a password can be retrieved with `Argon2id::Password#salt`:
+
+```ruby
+password = Argon2id::Password.new("$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
+password.salt
+#=> "somesalt"
+```
+
 ### Errors
 
 Any errors returned from Argon2 will be raised as `Argon2id::Error`, e.g.
@@ -176,11 +184,11 @@ notes](https://github.com/mudge/argon2id/releases) for each version and can be
 checked with `sha256sum`, e.g.
 
 ```console
-$ gem fetch argon2id -v 0.1.0
-Fetching argon2id-0.1.0-arm64-darwin.gem
-Downloaded argon2id-0.1.0-arm64-darwin
-$ sha256sum argon2id-0.1.0-arm64-darwin.gem
-652ba4ebe4176c3fa944652b5db3bee52670c1e6b76632f921dd1455ec0810aa  argon2id-0.1.0-arm64-darwin.gem
+$ gem fetch argon2id -v 0.1.1
+Fetching argon2id-0.1.1-arm64-darwin.gem
+Downloaded argon2id-0.1.1-arm64-darwin
+$ sha256sum argon2id-0.1.1-arm64-darwin.gem
+8d47464edf847ca52c1d41cac1a9feff376e9a1e7c0a98ab58df846990caa1bb  argon2id-0.1.1-arm64-darwin.gem
 ```
 
 [GPG](https://www.gnupg.org/) signatures are attached to each release (the
@@ -190,8 +198,8 @@ from a public keyserver, e.g. `gpg --keyserver keyserver.ubuntu.com --recv-key
 0x39AC3530070E0F75`):
 
 ```console
-$ gpg --verify argon2id-0.1.0-arm64-darwin.gem.sig argon2id-0.1.0-arm64-darwin.gem
-gpg: Signature made Thu 31 Oct 16:09:45 2024 GMT
+$ gpg --verify argon2id-0.1.1-arm64-darwin.gem.sig argon2id-0.1.1-arm64-darwin.gem
+gpg: Signature made Fri  1 Nov 07:24:16 2024 GMT
 gpg:                using RSA key 702609D9C790F45B577D7BEC39AC3530070E0F75
 gpg: Good signature from "Paul Mucur <mudge@mudge.name>" [unknown]
 gpg:                 aka "Paul Mucur <paul@ghostcassette.com>" [unknown]

data/argon2id.gemspec

@@ -53,6 +53,7 @@ Gem::Specification.new do |s|
   ]
   s.rdoc_options = ["--main", "README.md"]
 
+  s.add_runtime_dependency("base64")
   s.add_development_dependency("rake-compiler", "~> 1.2")
   s.add_development_dependency("rake-compiler-dock", "~> 1.5")
   s.add_development_dependency("minitest", "~> 5.25")

data/ext/argon2id/argon2id.c

@@ -7,7 +7,7 @@
 
 VALUE mArgon2id, cArgon2idError;
 
-/* call-seq: Argon2id.hash_encode(t_cost, m_cost, parallelism, pwd, salt, output_len)
+/* call-seq: hash_encoded(t_cost, m_cost, parallelism, pwd, salt, output_len)
  *
  * Hashes a password with Argon2id, producing an encoded hash.
  *
@@ -53,7 +53,7 @@ rb_argon2id_hash_encoded(VALUE module, VALUE iterations, VALUE memory, VALUE thr
   return hash;
 }
 
-/* call-seq: Argon2id.verify(encoded, pwd)
+/* call-seq: verify(encoded, pwd)
  *
  * Verifies a password against an encoded string.
  */
@@ -63,7 +63,7 @@ rb_argon2id_verify(VALUE module, VALUE encoded, VALUE pwd) {
 
   UNUSED(module);
 
-  result = argon2id_verify(StringValuePtr(encoded), StringValuePtr(pwd), RSTRING_LEN(pwd));
+  result = argon2id_verify(StringValueCStr(encoded), StringValuePtr(pwd), RSTRING_LEN(pwd));
   if (result == ARGON2_OK) {
     return Qtrue;
   }

data/lib/argon2id/password.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "base64"
 require "openssl"
 
 module Argon2id
@@ -17,15 +18,47 @@ module Argon2id
   #   password == "password"
   #   #=> true
   class Password
+    # A regular expression to match valid hashes.
+    PATTERN = %r{
+      \A
+      \$
+      argon2(?:id|i|d)
+      (?:\$v=\d+)?
+      \$m=\d+
+      ,t=\d+
+      ,p=\d+
+      \$
+      (?<base64_salt>[a-zA-Z0-9+/]+)
+      \$
+      [a-zA-Z0-9+/]+
+      \z
+    }x.freeze
+
+    # The encoded password hash.
     attr_reader :encoded
 
-    # Create a new Password object that hashes a given plain text password.
+    # The salt.
+    attr_reader :salt
+
+    # Create a new Password object that hashes a given plain text password +pwd+.
     #
     # - +:t_cost+: integer (default 2) the "time cost" given as a number of iterations
     # - +:m_cost+: integer (default 19456) the "memory cost" given in kibibytes
     # - +:parallelism+: integer (default 1) the number of threads and compute lanes to use
     # - +:salt_len+: integer (default 16) the salt size in bytes
     # - +:output_len+: integer (default 32) the desired length of the hash in bytes
+    #
+    # For example, with the default configuration:
+    #
+    #   password = Argon2id::Password.create("password")
+    #   password.to_s
+    #   #=> "$argon2id$v=19$m=19456,t=2,p=1$FI8yp1gXbthJCskBlpKPoQ$nOfCCpS2r+I8GRN71cZND4cskn7YKBNzuHUEO3YpY2s"
+    #
+    # When overriding the configuration:
+    #
+    #   password = Argon2id::Password.create("password", t_cost: 3, m_cost: 12288)
+    #   password.to_s
+    #   #=> "$argon2id$v=19$m=12288,t=3,p=1$JigW7fFn+N3NImt+aWpuzw$eM5F1cKeIBALNTU6LuWra75Zi2nymGvQLWzJzVFv0Nc"
     def self.create(pwd, t_cost: Argon2id.t_cost, m_cost: Argon2id.m_cost, parallelism: Argon2id.parallelism, salt_len: Argon2id.salt_len, output_len: Argon2id.output_len)
       new(
         Argon2id.hash_encoded(
@@ -42,8 +75,15 @@ module Argon2id
     # call-seq: Argon2id::Password.new(encoded)
     #
     # Create a new Password with the given encoded password hash.
+    #
+    #   password = Argon2id::Password.new("$argon2id$v=19$m=19456,t=2,p=1$FI8yp1gXbthJCskBlpKPoQ$nOfCCpS2r+I8GRN71cZND4cskn7YKBNzuHUEO3YpY2s")
+    #
+    # Raises an ArgumentError if given an invalid hash.
     def initialize(encoded)
+      raise ArgumentError, "invalid hash" unless PATTERN =~ encoded
+
       @encoded = encoded
+      @salt = Base64.decode64(Regexp.last_match(:base64_salt))
     end
 
     # Return the encoded password hash.
@@ -53,6 +93,10 @@ module Argon2id
 
     # Compare the password with given plain text, returning true if it verifies
     # successfully.
+    #
+    #   password = Argon2id::Password.new("$argon2id$v=19$m=19456,t=2,p=1$FI8yp1gXbthJCskBlpKPoQ$nOfCCpS2r+I8GRN71cZND4cskn7YKBNzuHUEO3YpY2s")
+    #   password == "password"    #=> true
+    #   password == "notpassword" #=> false
     def ==(other)
       Argon2id.verify(encoded, String(other))
     end

data/lib/argon2id/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Argon2id
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

data/lib/argon2id.rb

@@ -11,10 +11,19 @@ require "argon2id/version"
 require "argon2id/password"
 
 module Argon2id
+  # The default "time cost" of 2 iterations recommended by OWASP.
   DEFAULT_T_COST = 2
-  DEFAULT_M_COST = 19456
+
+  # The default "memory cost" of 19 mebibytes recommended by OWASP.
+  DEFAULT_M_COST = 19_456
+
+  # The default 1 thread and compute lane recommended by OWASP.
   DEFAULT_PARALLELISM = 1
+
+  # The default salt length of 16 bytes.
   DEFAULT_SALT_LEN = 16
+
+  # The default desired hash length of 32 bytes.
   DEFAULT_OUTPUT_LEN = 32
 
   @t_cost = DEFAULT_T_COST

data/test/test_password.rb

@@ -74,13 +74,33 @@ class TestPassword < Minitest::Test
     refute password.is_password?("notopensesame")
   end
 
-  def test_raises_if_verifying_with_invalid_encoded_password
-    password = Argon2id::Password.new("invalid")
+  def test_salt_returns_the_original_salt
+    password = Argon2id::Password.new("$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
 
-    error = assert_raises(Argon2id::Error) do
-      password.is_password?("opensesame")
+    assert_equal "somesalt", password.salt
+  end
+
+  def test_salt_returns_raw_bytes
+    password = Argon2id::Password.new("$argon2id$v=19$m=256,t=2,p=1$KmIxrXv4lrnSJPO0LN7Gdw$lB3724qLPL9MNi10lkvIb4VxIk3q841CLvq0WTCZ0VQ")
+
+    assert_equal "*b1\xAD{\xF8\x96\xB9\xD2$\xF3\xB4,\xDE\xC6w".b, password.salt
+  end
+
+  def test_raises_for_invalid_hashes
+    assert_raises(ArgumentError) do
+      Argon2id::Password.new("not a valid hash")
     end
+  end
+
+  def test_raises_for_partial_hashes
+    assert_raises(ArgumentError) do
+      Argon2id::Password.new("$argon2id$v=19$m=256,t=2,p=1$KmIxrXv4lrnSJPO0LN7Gdw")
+    end
+  end
+
+  def test_salt_supports_versionless_hashes
+    password = Argon2id::Password.new("$argon2id$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
 
-    assert_equal "Decoding failed", error.message
+    assert_equal "somesalt", password.salt
   end
 end

data/test/test_verify.rb

@@ -5,15 +5,17 @@ require "argon2id"
 
 class TestVerify < Minitest::Test
   def test_returns_true_with_correct_password
-    encoded = Argon2id.hash_encoded(2, 256, 1, "password", "somesalt", 32)
-
-    assert Argon2id.verify(encoded, "password")
+    assert Argon2id.verify(
+      "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4",
+      "password"
+    )
   end
 
   def test_returns_false_with_incorrect_password
-    encoded = Argon2id.hash_encoded(2, 256, 1, "password", "somesalt", 32)
-
-    refute Argon2id.verify(encoded, "notopensesame")
+    refute Argon2id.verify(
+      "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4",
+      "not password"
+    )
   end
 
   def test_raises_if_given_invalid_encoded
@@ -21,4 +23,13 @@ class TestVerify < Minitest::Test
       Argon2id.verify("", "opensesame")
     end
   end
+
+  def test_raises_if_given_encoded_with_null_byte
+    assert_raises(ArgumentError) do
+      Argon2id.verify(
+        "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4\x00foo",
+        "password"
+      )
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: argon2id
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: x86-mingw32
 authors:
 - Paul Mucur
@@ -10,6 +10,20 @@ bindir: bin
 cert_chain: []
 date: 2024-11-01 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake-compiler
   requirement: !ruby/object:Gem::Requirement