argon2id 0.3.0-arm64-darwin → 0.4.1-arm64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 298aec7be86231e01d07ff5a92bb37e012fa2b116c65b62e8f64801a71211f94
-  data.tar.gz: 4cdf98a29119910f960333f68f6b3688eb8487bbb6bca68d8493194fbcfeada4
+  metadata.gz: f6316cc6706a6e86ae4f0a86235f89bb70d37435feeeca74f0ee67739de099f1
+  data.tar.gz: 185a9eea6d969fb027bd812c9679d8faeee5f47d6993e4cf17526d8ac0368b76
 SHA512:
-  metadata.gz: e9c79477faada8fd9c989aeeebfa6e7fc7b9a862ff006b9733543dec1578810601f474dcc5a91dbefc8834c32e642abe99ee910e2f621874061199973fbaab16
-  data.tar.gz: 9386a6f49c29be0d10079900484fc92eb2c276eb7c047746243e2adba545c76432aeff9dec38a38a590ece4bf5d1dc4173496a84fa73f71bdb9fe405135e0c6b
+  metadata.gz: 57cbe1b33cf6f3d2e7034d40450f02dfdc4f2665471ca498bdcef41324948bb37a08c570aeb2e9eae35bb281aa547aa1367890ebdeafd6e9d4c4ca828e4f7205
+  data.tar.gz: 8ab065411f14e71e6addb77fe9215534e3c9e82a7f6575b5a952bc089ccfd56b2650c31650f911607178159f7bd1d3f2ceaf70afd3630e52e40c85ff3dc52a64

data/CHANGELOG.md

@@ -5,6 +5,29 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.4.1] - 2024-11-02
+
+### Changed
+
+- Refactor verification on JRuby to avoid parsing encoded hashes unnecessarily
+- No longer describe the gem in terms of bindings to the reference C
+  implementation given the Bouncy Castle-based JRuby implementation
+- Only wrap `IllegalStateException` with `Argon2id::Error` on JRuby
+
+## [0.4.0] - 2024-11-02
+
+### Added
+
+- Added support for JRuby 9.4 by adding an implementation of Argon2id hashing
+  and verification using JRuby-OpenSSL's Bouncy Castle internals
+- Added `output` to `Argon2id::Password` instances so the actual "output" part
+  of a password hash can be retrieved (and compared)
+
+### Changed
+
+- Verifying a password will now consistently raise an `ArgumentError` when
+  given an invalid encoded hash rather than an `Argon2id::Error`
+
 ## [0.3.0] - 2024-11-01
 
 ### Added
@@ -63,6 +86,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   reference C implementation of Argon2, the password-hashing function that won
   the Password Hashing Competition.
 
+[0.4.1]: https://github.com/mudge/argon2id/releases/tag/v0.4.1
+[0.4.0]: https://github.com/mudge/argon2id/releases/tag/v0.4.0
 [0.3.0]: https://github.com/mudge/argon2id/releases/tag/v0.3.0
 [0.2.1]: https://github.com/mudge/argon2id/releases/tag/v0.2.1
 [0.2.0]: https://github.com/mudge/argon2id/releases/tag/v0.2.0

data/README.md

@@ -1,11 +1,11 @@
 # Argon2id - Ruby bindings to the OWASP recommended password-hashing function
 
-Ruby bindings to the reference C implementation of [Argon2][], the password-hashing
-function that won the 2015 [Password Hashing Competition][].
+Ruby bindings to [Argon2][], the password-hashing function that won the 2015
+[Password Hashing Competition][].
 
 [![Build Status](https://github.com/mudge/argon2id/actions/workflows/tests.yml/badge.svg?branch=main)](https://github.com/mudge/argon2id/actions)
 
-**Current version:** 0.3.0  
+**Current version:** 0.4.1  
 **Bundled Argon2 version:** libargon2.1 (20190702)
 
 ```ruby
@@ -13,7 +13,7 @@ Argon2id::Password.create("password").to_s
 #=> "$argon2id$v=19$m=19456,t=2,p=1$agNV6OfDL1OwE44WdrFCJw$ITrBwvCsW4b5GjgZuL67RCcvVMEWBWXtASc9TVyI3rY"
 
 password = Argon2id::Password.new("$argon2id$v=19$m=19456,t=2,p=1$ZS2nBFWBpnt28HjtzNOW4w$SQ+p+dIcWbpzWpZQ/ZZFj8IQkyhYZf127U4QdkRmKFU")
-password == "password"      #=> true
+password == "password"     #=> true
 password == "not password" #=> false
 
 password.m_cost #=> 19456
@@ -127,7 +127,7 @@ password == "opensesame"    #=> true
 password == "notopensesame" #=> false
 ```
 
-Or, if you only have the hash (e.g. retrieved from storage):
+Or, if you only have the encoded hash (e.g. retrieved from storage):
 
 ```ruby
 password = Argon2id::Password.new("$argon2id$v=19$m=19456,t=2,p=1$ZS2nBFWBpnt28HjtzNOW4w$SQ+p+dIcWbpzWpZQ/ZZFj8IQkyhYZf127U4QdkRmKFU")
@@ -143,7 +143,7 @@ password.is_password?("opensesame")    #=> true
 password.is_password?("notopensesame") #=> false
 ```
 
-The various parameters for the password can be retrieved:
+The various parts of the encoded hash can be retrieved:
 
 ```ruby
 password = Argon2id::Password.new("$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
@@ -153,6 +153,8 @@ password.m_cost      #=> 256
 password.t_cost      #=> 2
 password.parallelism #=> 1
 password.salt        #=> "somesalt"
+password.output
+#=> "\x9D\xFE\xB9\x10\xE8\v\xAD\x03\x11\xFE\xE2\x0F\x9C\x0E+\x12\xC1y\x87\xB4\xCA\xC9\f.\xF5M[0!\xC6\x8B\xFE"
 ```
 
 ### Errors
@@ -166,9 +168,16 @@ Argon2id::Password.create("password", salt_len: 0)
 
 ## Requirements
 
-This gem requires the following to run:
+This gem requires any of the following to run:
 
 * [Ruby](https://www.ruby-lang.org/en/) 2.6 to 3.3
+* [JRuby](https://www.jruby.org) 9.4
+* [TruffleRuby](https://www.graalvm.org/ruby/) 24.1
+
+> [!NOTE]
+> The JRuby version of the gem uses
+> [JRuby-OpenSSL](https://github.com/jruby/jruby-openssl)'s implementation of
+> Argon2 while the others use the reference C implementation.
 
 ### Native gems
 
@@ -180,6 +189,7 @@ Where possible, a pre-compiled native gem will be provided for the following pla
     * [musl](https://musl.libc.org/)-based systems such as [Alpine](https://alpinelinux.org) are supported as long as a [glibc-compatible library is installed](https://wiki.alpinelinux.org/wiki/Running_glibc_programs)
 * macOS `x86_64-darwin` and `arm64-darwin`
 * Windows `x64-mingw32` and `x64-mingw-ucrt`
+* Java: any platform running JRuby 9.4 or higher
 
 ### Verifying the gems
 
@@ -188,11 +198,11 @@ notes](https://github.com/mudge/argon2id/releases) for each version and can be
 checked with `sha256sum`, e.g.
 
 ```console
-$ gem fetch argon2id -v 0.2.1
-Fetching argon2id-0.2.1-arm64-darwin.gem
-Downloaded argon2id-0.2.1-arm64-darwin
-$ sha256sum argon2id-0.2.1-arm64-darwin.gem
-aea93700e989e421dd4e66b99038b9fec1acc9a265fe9d35e2100ceb5c18e5a9  argon2id-0.2.1-arm64-darwin.gem
+$ gem fetch argon2id -v 0.4.0
+Fetching argon2id-0.4.0-arm64-darwin.gem
+Downloaded argon2id-0.4.0-arm64-darwin
+$ sha256sum argon2id-0.4.0-arm64-darwin.gem
+2cecd6d5a1ecaf0a025e95714c0dee22dfc3d4585b649c57c06f432031b55a77  argon2id-0.4.0-arm64-darwin.gem
 ```
 
 [GPG](https://www.gnupg.org/) signatures are attached to each release (the
@@ -202,8 +212,8 @@ from a public keyserver, e.g. `gpg --keyserver keyserver.ubuntu.com --recv-key
 0x39AC3530070E0F75`):
 
 ```console
-$ gpg --verify argon2id-0.2.1-arm64-darwin.gem.sig argon2id-0.2.1-arm64-darwin.gem
-gpg: Signature made Fri  1 Nov 15:06:30 2024 GMT
+$ gpg --verify argon2id-0.4.0-arm64-darwin.gem.sig argon2id-0.4.0-arm64-darwin.gem
+gpg: Signature made Sat  2 Nov 15:25:15 2024 GMT
 gpg:                using RSA key 702609D9C790F45B577D7BEC39AC3530070E0F75
 gpg: Good signature from "Paul Mucur <mudge@mudge.name>" [unknown]
 gpg:                 aka "Paul Mucur <paul@ghostcassette.com>" [unknown]

data/Rakefile

@@ -20,6 +20,13 @@ ENV["RUBY_CC_VERSION"] = %w[3.3.0 3.2.0 3.1.0 3.0.0 2.7.0 2.6.0].join(":")
 
 gemspec = Gem::Specification.load("argon2id.gemspec")
 
+if RUBY_PLATFORM == "java"
+  gemspec.files.reject! { |path| File.fnmatch?("ext/*", path) }
+  gemspec.extensions.clear
+  gemspec.platform = Gem::Platform.new("java")
+  gemspec.required_ruby_version = ">= 3.1.0"
+end
+
 Gem::PackageTask.new(gemspec).define
 
 Rake::ExtensionTask.new("argon2id", gemspec) do |e|
@@ -50,6 +57,15 @@ namespace :gem do
       SCRIPT
     end
   end
+
+  desc "Compile gem for JRuby"
+  task :jruby do
+    RakeCompilerDock.sh <<~SCRIPT, rubyvm: "jruby", platform: "jruby", verbose: true
+      gem install bundler --no-document &&
+      bundle &&
+      bundle exec rake gem
+    SCRIPT
+  end
 end
 
 task default: [:compile, :test]

data/argon2id.gemspec

@@ -6,7 +6,7 @@ Gem::Specification.new do |s|
   s.name = "argon2id"
   s.version = Argon2id::VERSION
   s.summary = "Ruby bindings to Argon2"
-  s.description = "Ruby bindings to the reference C implementation of Argon2, the password-hashing function that won the 2015 Password Hashing Competition."
+  s.description = "Ruby bindings to Argon2, the password-hashing function that won the 2015 Password Hashing Competition."
   s.license = "BSD-3-Clause"
   s.authors = ["Paul Mucur"]
   s.homepage = "https://github.com/mudge/argon2id"

data/ext/argon2id/argon2id.c

@@ -70,6 +70,9 @@ rb_argon2id_verify(VALUE module, VALUE encoded, VALUE pwd) {
   if (result == ARGON2_VERIFY_MISMATCH) {
     return Qfalse;
   }
+  if (result == ARGON2_DECODING_FAIL || result == ARGON2_DECODING_LENGTH_FAIL) {
+    rb_raise(rb_eArgError, "%s", argon2_error_message(result));
+  }
 
   rb_raise(cArgon2idError, "%s", argon2_error_message(result));
 }

data/lib/argon2id/password.rb

@@ -44,7 +44,7 @@ module Argon2id
       \$
       ([a-zA-Z0-9+/]+)
       \$
-      [a-zA-Z0-9+/]+
+      ([a-zA-Z0-9+/]+)
       \z
     }x.freeze
 
@@ -69,6 +69,9 @@ module Argon2id
     # The salt.
     attr_reader :salt
 
+    # The hash output.
+    attr_reader :output
+
     # Create a new Password object that hashes a given plain text password +pwd+.
     #
     # - +:t_cost+: integer (default 2) the "time cost" given as a number of iterations
@@ -101,8 +104,6 @@ module Argon2id
       )
     end
 
-    # call-seq: Argon2id::Password.new(encoded)
-    #
     # Create a new Password with the given encoded password hash.
     #
     #   password = Argon2id::Password.new("$argon2id$v=19$m=19456,t=2,p=1$FI8yp1gXbthJCskBlpKPoQ$nOfCCpS2r+I8GRN71cZND4cskn7YKBNzuHUEO3YpY2s")
@@ -113,11 +114,12 @@ module Argon2id
 
       @encoded = $&
       @type = $1
-      @version = ($2 || 0x10).to_i
-      @m_cost = $3.to_i
-      @t_cost = $4.to_i
-      @parallelism = $5.to_i
+      @version = Integer($2 || 0x10)
+      @m_cost = Integer($3)
+      @t_cost = Integer($4)
+      @parallelism = Integer($5)
       @salt = $6.unpack1("m")
+      @output = $7.unpack1("m")
     end
 
     # Return the encoded password hash.

data/lib/argon2id/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Argon2id
-  VERSION = "0.3.0"
+  VERSION = "0.4.1"
 end

data/lib/argon2id.rb

@@ -1,10 +1,14 @@
 # frozen_string_literal: true
 
-begin
-  ::RUBY_VERSION =~ /(\d+\.\d+)/
-  require_relative "#{Regexp.last_match(1)}/argon2id.so"
-rescue LoadError
-  require "argon2id.so"
+if RUBY_PLATFORM == "java"
+  require "openssl"
+else
+  begin
+    ::RUBY_VERSION =~ /(\d+\.\d+)/
+    require_relative "#{Regexp.last_match(1)}/argon2id.so"
+  rescue LoadError
+    require "argon2id.so"
+  end
 end
 
 require "argon2id/version"
@@ -48,4 +52,57 @@ module Argon2id
     # The default desired length of the hash in bytes used by Argon2id::Password.create
     attr_accessor :output_len
   end
+
+  if RUBY_PLATFORM == "java"
+    Error = Class.new(StandardError)
+
+    def self.hash_encoded(t_cost, m_cost, parallelism, pwd, salt, hashlen)
+      output = hash_raw(t_cost, m_cost, parallelism, pwd, salt, hashlen)
+
+      encoder = Java::JavaUtil::Base64.get_encoder.without_padding
+      encoded_salt = encoder.encode_to_string(salt.to_java_bytes)
+      encoded_output = encoder.encode_to_string(output)
+
+      "$argon2id$v=19$m=#{Integer(m_cost)},t=#{Integer(t_cost)}," \
+        "p=#{Integer(parallelism)}$#{encoded_salt}$#{encoded_output}"
+    end
+
+    def self.verify(encoded, pwd)
+      password = Password.new(encoded)
+      other_raw = hash_raw(
+        password.t_cost,
+        password.m_cost,
+        password.parallelism,
+        String(pwd),
+        password.salt,
+        password.output.bytesize
+      )
+
+      Java::OrgBouncycastleUtil::Arrays.constant_time_are_equal(
+        password.output.to_java_bytes,
+        other_raw
+      )
+    end
+
+    def self.hash_raw(t_cost, m_cost, parallelism, pwd, salt, hashlen)
+      raise Error, "Salt is too short" if String(salt).empty?
+
+      hash = Java::byte[Integer(hashlen)].new
+      params = Java::OrgBouncycastleCryptoParams::Argon2Parameters::Builder
+        .new(Java::OrgBouncycastleCryptoParams::Argon2Parameters::ARGON2_id)
+        .with_salt(String(salt).to_java_bytes)
+        .with_parallelism(Integer(parallelism))
+        .with_memory_as_kb(Integer(m_cost))
+        .with_iterations(Integer(t_cost))
+        .build
+      generator = Java::OrgBouncycastleCryptoGenerators::Argon2BytesGenerator.new
+
+      generator.init(params)
+      generator.generate_bytes(String(pwd).to_java_bytes, hash)
+
+      hash
+    rescue Java::JavaLang::IllegalStateException => e
+      raise Error, e.message
+    end
+  end
 end

data/test/test_hash_encoded.rb

@@ -10,6 +10,12 @@ class TestHashEncoded < Minitest::Test
     assert_equal "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4", encoded
   end
 
+  def test_password_with_parallelism_of_two
+    encoded = Argon2id.hash_encoded(2, 256, 2, "password", "somesalt", 32)
+
+    assert_equal "$argon2id$v=19$m=256,t=2,p=2$c29tZXNhbHQ$bQk8UB/VmZZF4Oo79iDXuL5/0ttZwg2f/5U52iv1cDc", encoded
+  end
+
   def test_valid_password_does_not_include_trailing_null_byte
     encoded = Argon2id.hash_encoded(2, 256, 1, "password", "somesalt", 32)
 
@@ -17,42 +23,32 @@ class TestHashEncoded < Minitest::Test
   end
 
   def test_raises_with_too_short_output
-    error = assert_raises(Argon2id::Error) do
+    assert_raises(Argon2id::Error) do
       Argon2id.hash_encoded(2, 256, 1, "password", "somesalt", 1)
     end
-
-    assert_equal "Output is too short", error.message
   end
 
   def test_raises_with_too_few_lanes
-    error = assert_raises(Argon2id::Error) do
+    assert_raises(Argon2id::Error) do
       Argon2id.hash_encoded(2, 256, 0, "password", "somesalt", 32)
     end
-
-    assert_equal "Too few lanes", error.message
   end
 
   def test_raises_with_too_small_memory_cost
-    error = assert_raises(Argon2id::Error) do
+    assert_raises(Argon2id::Error) do
       Argon2id.hash_encoded(2, 0, 1, "password", "somesalt", 32)
     end
-
-    assert_equal "Memory cost is too small", error.message
   end
 
   def test_raises_with_too_small_time_cost
-    error = assert_raises(Argon2id::Error) do
+    assert_raises(Argon2id::Error) do
       Argon2id.hash_encoded(0, 256, 1, "password", "somesalt", 32)
     end
-
-    assert_equal "Time cost is too small", error.message
   end
 
   def test_raises_with_too_short_salt
-    error = assert_raises(Argon2id::Error) do
-      Argon2id.hash_encoded(0, 256, 1, "password", "", 32)
+    assert_raises(Argon2id::Error) do
+      Argon2id.hash_encoded(2, 256, 1, "password", "", 32)
     end
-
-    assert_equal "Salt is too short", error.message
   end
 end

data/test/test_password.rb

@@ -169,4 +169,10 @@ class TestPassword < Minitest::Test
 
     assert_equal 1, password.parallelism
   end
+
+  def test_extracting_output_from_hash
+    password = Argon2id::Password.new("$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
+
+    assert_equal "\x9D\xFE\xB9\x10\xE8\v\xAD\x03\x11\xFE\xE2\x0F\x9C\x0E+\x12\xC1y\x87\xB4\xCA\xC9\f.\xF5M[0!\xC6\x8B\xFE".b, password.output
+  end
 end

data/test/test_verify.rb

@@ -19,7 +19,7 @@ class TestVerify < Minitest::Test
   end
 
   def test_raises_if_given_invalid_encoded
-    assert_raises(Argon2id::Error) do
+    assert_raises(ArgumentError) do
       Argon2id.verify("", "opensesame")
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: argon2id
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.1
 platform: arm64-darwin
 authors:
 - Paul Mucur
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-11-01 00:00:00.000000000 Z
+date: 2024-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake-compiler
@@ -52,8 +52,8 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.25'
-description: Ruby bindings to the reference C implementation of Argon2, the password-hashing
-  function that won the 2015 Password Hashing Competition.
+description: Ruby bindings to Argon2, the password-hashing function that won the 2015
+  Password Hashing Competition.
 email: 
 executables: []
 extensions: []