argon2id 0.4.0-arm64-darwin → 0.5.0-arm64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ff80a971db070d5f58f7799826a4bac02c0579e86e9810098fb5ba8284315d95
-  data.tar.gz: 589afb61a446a7b96a4b5bc2f2566ffac49d9dcb437230b325018542d9d94a7a
+  metadata.gz: dd8fb6e7a98af48e2a557b6fc59ca84cc0ace08cb4b37284a8fef84ec17536a3
+  data.tar.gz: a5b6e47350cd443ac0c45eb1af1813e8f8b2034cf8af8e29de58bf8fc1719c2c
 SHA512:
-  metadata.gz: 8106266fff6b2be5f6729d3ce98dabc235369f90f3c0136935b267edf53d00dfa8cd2a1cf604f8d81414fb91bf41af897e0730f9cd165e8165c37c6ae72cded6
-  data.tar.gz: 03e3f8fd7a8c0b7d0713941d90dba120f1aa37869d9a83fc22a0ab253f8dc14944921c43afe38b5b632084e1b89b099b04e5381857fd7a904e1cfb1e07d49607
+  metadata.gz: 0c773a4b232c172bf7e2c7a9ae165d43df0de90196ffd9060cb10c060c1f5e74957bf6624e67851b1273e4f913e980c2f91ea43965ade17ccc279ad1c19e79c7
+  data.tar.gz: 72a120dd8c2a34ee86898cc78b8538bc1a15e44921bfdb543c1ff0e92d7e8f448048276084d5a51518539702de7a9d7ae5dda11da7cfd68da28d463fb2ece840

data/CHANGELOG.md

@@ -5,12 +5,28 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.5.0] - 2024-11-02
+
+### Removed
+
+- No longer expose the `type` of an encoded hash as it must always be an
+  Argon2id hash
+
+## [0.4.1] - 2024-11-02
+
+### Changed
+
+- Refactor verification on JRuby to avoid parsing encoded hashes unnecessarily
+- No longer describe the gem in terms of bindings to the reference C
+  implementation given the Bouncy Castle-based JRuby implementation
+- Only wrap `IllegalStateException` with `Argon2id::Error` on JRuby
+
 ## [0.4.0] - 2024-11-02
 
 ### Added
 
 - Added support for JRuby 9.4 by adding an implementation of Argon2id hashing
-  and verification using JRuby-OpenSSL's Bouncy Castle internals.
+  and verification using JRuby-OpenSSL's Bouncy Castle internals
 - Added `output` to `Argon2id::Password` instances so the actual "output" part
   of a password hash can be retrieved (and compared)
 
@@ -77,6 +93,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   reference C implementation of Argon2, the password-hashing function that won
   the Password Hashing Competition.
 
+[0.5.0]: https://github.com/mudge/argon2id/releases/tag/v0.5.0
+[0.4.1]: https://github.com/mudge/argon2id/releases/tag/v0.4.1
 [0.4.0]: https://github.com/mudge/argon2id/releases/tag/v0.4.0
 [0.3.0]: https://github.com/mudge/argon2id/releases/tag/v0.3.0
 [0.2.1]: https://github.com/mudge/argon2id/releases/tag/v0.2.1

data/README.md

@@ -1,11 +1,11 @@
 # Argon2id - Ruby bindings to the OWASP recommended password-hashing function
 
-Ruby bindings to the reference C implementation of [Argon2][], the password-hashing
-function that won the 2015 [Password Hashing Competition][].
+Ruby bindings to [Argon2][], the password-hashing function that won the 2015
+[Password Hashing Competition][].
 
 [![Build Status](https://github.com/mudge/argon2id/actions/workflows/tests.yml/badge.svg?branch=main)](https://github.com/mudge/argon2id/actions)
 
-**Current version:** 0.4.0  
+**Current version:** 0.5.0  
 **Bundled Argon2 version:** libargon2.1 (20190702)
 
 ```ruby
@@ -127,7 +127,7 @@ password == "opensesame"    #=> true
 password == "notopensesame" #=> false
 ```
 
-Or, if you only have the hash (e.g. retrieved from storage):
+Or, if you only have the encoded hash (e.g. retrieved from storage):
 
 ```ruby
 password = Argon2id::Password.new("$argon2id$v=19$m=19456,t=2,p=1$ZS2nBFWBpnt28HjtzNOW4w$SQ+p+dIcWbpzWpZQ/ZZFj8IQkyhYZf127U4QdkRmKFU")
@@ -135,6 +135,10 @@ password == "opensesame"    #=> true
 password == "notopensesame" #=> false
 ```
 
+> [!WARNING]
+> `Argon2id::Password.new` does not support hashes generated from other Argon2
+> variants such as Argon2i and Argon2d.
+
 For compatibility with [bcrypt-ruby][], `Argon2id::Password#==` is aliased to `Argon2id::Password.is_password?`:
 
 ```ruby
@@ -143,11 +147,10 @@ password.is_password?("opensesame")    #=> true
 password.is_password?("notopensesame") #=> false
 ```
 
-The various parts of the encoded password can be retrieved:
+The various parts of the encoded hash can be retrieved:
 
 ```ruby
 password = Argon2id::Password.new("$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
-password.type        #=> "argon2id"
 password.version     #=> 19
 password.m_cost      #=> 256
 password.t_cost      #=> 2
@@ -177,7 +180,7 @@ This gem requires any of the following to run:
 > [!NOTE]
 > The JRuby version of the gem uses
 > [JRuby-OpenSSL](https://github.com/jruby/jruby-openssl)'s implementation of
-> Argon2 instead of the reference C implementation.
+> Argon2 while the others use the reference C implementation.
 
 ### Native gems
 
@@ -198,11 +201,11 @@ notes](https://github.com/mudge/argon2id/releases) for each version and can be
 checked with `sha256sum`, e.g.
 
 ```console
-$ gem fetch argon2id -v 0.3.0
-Fetching argon2id-0.3.0-arm64-darwin.gem
-Downloaded argon2id-0.3.0-arm64-darwin
-$ sha256sum argon2id-0.3.0-arm64-darwin.gem
-9d49de6840942b48d020dddd422a1577fde7289ccb08a637bdb29f4a09b4e181  argon2id-0.3.0-arm64-darwin.gem
+$ gem fetch argon2id -v 0.4.1
+Fetching argon2id-0.4.1-arm64-darwin.gem
+Downloaded argon2id-0.4.1-arm64-darwin
+$ sha256sum argon2id-0.4.1-arm64-darwin.gem
+c74c06c2c4ce70d6c3822f05d83bab4ea431dd16ec086c9c856da3c6e0d9bbe9  argon2id-0.4.1-arm64-darwin.gem
 ```
 
 [GPG](https://www.gnupg.org/) signatures are attached to each release (the
@@ -212,8 +215,8 @@ from a public keyserver, e.g. `gpg --keyserver keyserver.ubuntu.com --recv-key
 0x39AC3530070E0F75`):
 
 ```console
-$ gpg --verify argon2id-0.3.0-arm64-darwin.gem.sig argon2id-0.3.0-arm64-darwin.gem
-gpg: Signature made Fri  1 Nov 18:15:47 2024 GMT
+$ gpg --verify argon2id-0.4.1-arm64-darwin.gem.sig argon2id-0.4.1-arm64-darwin.gem
+gpg: Signature made Sat  2 Nov 20:50:54 2024 GMT
 gpg:                using RSA key 702609D9C790F45B577D7BEC39AC3530070E0F75
 gpg: Good signature from "Paul Mucur <mudge@mudge.name>" [unknown]
 gpg:                 aka "Paul Mucur <paul@ghostcassette.com>" [unknown]

data/argon2id.gemspec

@@ -6,7 +6,7 @@ Gem::Specification.new do |s|
   s.name = "argon2id"
   s.version = Argon2id::VERSION
   s.summary = "Ruby bindings to Argon2"
-  s.description = "Ruby bindings to the reference C implementation of Argon2, the password-hashing function that won the 2015 Password Hashing Competition."
+  s.description = "Ruby bindings to Argon2, the password-hashing function that won the 2015 Password Hashing Competition."
   s.license = "BSD-3-Clause"
   s.authors = ["Paul Mucur"]
   s.homepage = "https://github.com/mudge/argon2id"

data/lib/argon2id/password.rb

@@ -25,7 +25,6 @@ module Argon2id
   #
   # You can read various parameters out of a password hash:
   #
-  #   password.type        #=> "argon2id"
   #   password.version     #=> 19
   #   password.m_cost      #=> 19456
   #   password.t_cost      #=> 2
@@ -36,7 +35,7 @@ module Argon2id
     PATTERN = %r{
       \A
       \$
-      (argon2(?:id|i|d))
+      argon2id
       (?:\$v=(\d+))?
       \$m=(\d+)
       ,t=(\d+)
@@ -51,9 +50,6 @@ module Argon2id
     # The encoded password hash.
     attr_reader :encoded
 
-    # The type of the hashing function.
-    attr_reader :type
-
     # The version number of the hashing function.
     attr_reader :version
 
@@ -113,13 +109,12 @@ module Argon2id
       raise ArgumentError, "invalid hash" unless PATTERN =~ String(encoded)
 
       @encoded = $&
-      @type = $1
-      @version = Integer($2 || 0x10)
-      @m_cost = Integer($3)
-      @t_cost = Integer($4)
-      @parallelism = Integer($5)
-      @salt = $6.unpack1("m")
-      @output = $7.unpack1("m")
+      @version = Integer($1 || 0x10)
+      @m_cost = Integer($2)
+      @t_cost = Integer($3)
+      @parallelism = Integer($4)
+      @salt = $5.unpack1("m")
+      @output = $6.unpack1("m")
     end
 
     # Return the encoded password hash.

data/lib/argon2id/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Argon2id
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

data/lib/argon2id.rb

@@ -57,7 +57,35 @@ module Argon2id
     Error = Class.new(StandardError)
 
     def self.hash_encoded(t_cost, m_cost, parallelism, pwd, salt, hashlen)
-      raise Error, "Salt is too short" unless String(salt).bytesize.positive?
+      output = hash_raw(t_cost, m_cost, parallelism, pwd, salt, hashlen)
+
+      encoder = Java::JavaUtil::Base64.get_encoder.without_padding
+      encoded_salt = encoder.encode_to_string(salt.to_java_bytes)
+      encoded_output = encoder.encode_to_string(output)
+
+      "$argon2id$v=19$m=#{Integer(m_cost)},t=#{Integer(t_cost)}," \
+        "p=#{Integer(parallelism)}$#{encoded_salt}$#{encoded_output}"
+    end
+
+    def self.verify(encoded, pwd)
+      password = Password.new(encoded)
+      other_raw = hash_raw(
+        password.t_cost,
+        password.m_cost,
+        password.parallelism,
+        String(pwd),
+        password.salt,
+        password.output.bytesize
+      )
+
+      Java::OrgBouncycastleUtil::Arrays.constant_time_are_equal(
+        password.output.to_java_bytes,
+        other_raw
+      )
+    end
+
+    def self.hash_raw(t_cost, m_cost, parallelism, pwd, salt, hashlen)
+      raise Error, "Salt is too short" if String(salt).empty?
 
       hash = Java::byte[Integer(hashlen)].new
       params = Java::OrgBouncycastleCryptoParams::Argon2Parameters::Builder
@@ -68,38 +96,13 @@ module Argon2id
         .with_iterations(Integer(t_cost))
         .build
       generator = Java::OrgBouncycastleCryptoGenerators::Argon2BytesGenerator.new
-      encoder = Java::JavaUtil::Base64.get_encoder.without_padding
 
       generator.init(params)
       generator.generate_bytes(String(pwd).to_java_bytes, hash)
 
-      encoded_salt = encoder.encode_to_string(params.get_salt)
-      encoded_output = encoder.encode_to_string(hash)
-
-      "$argon2id$v=#{params.get_version}$m=#{params.get_memory}," \
-        "t=#{params.get_iterations},p=#{params.get_lanes}" \
-        "$#{encoded_salt}$#{encoded_output}"
-    rescue => e
+      hash
+    rescue Java::JavaLang::IllegalStateException => e
       raise Error, e.message
     end
-
-    def self.verify(encoded, pwd)
-      password = Password.new(encoded)
-      other_password = Password.new(
-        hash_encoded(
-          password.t_cost,
-          password.m_cost,
-          password.parallelism,
-          String(pwd),
-          password.salt,
-          password.output.bytesize
-        )
-      )
-
-      Java::OrgBouncycastleUtil::Arrays.constant_time_are_equal(
-        password.output.to_java_bytes,
-        other_password.output.to_java_bytes
-      )
-    end
   end
 end

data/test/test_hash_encoded.rb

@@ -10,6 +10,12 @@ class TestHashEncoded < Minitest::Test
     assert_equal "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4", encoded
   end
 
+  def test_password_with_parallelism_of_two
+    encoded = Argon2id.hash_encoded(2, 256, 2, "password", "somesalt", 32)
+
+    assert_equal "$argon2id$v=19$m=256,t=2,p=2$c29tZXNhbHQ$bQk8UB/VmZZF4Oo79iDXuL5/0ttZwg2f/5U52iv1cDc", encoded
+  end
+
   def test_valid_password_does_not_include_trailing_null_byte
     encoded = Argon2id.hash_encoded(2, 256, 1, "password", "somesalt", 32)
 

data/test/test_password.rb

@@ -98,6 +98,12 @@ class TestPassword < Minitest::Test
     end
   end
 
+  def test_raises_for_non_argon2id_hashes
+    assert_raises(ArgumentError) do
+      Argon2id::Password.new("$argon2i$v=19$m=256,t=2,p=1$c29tZXNhbHQ$iekCn0Y3spW+sCcFanM2xBT63UP2sghkUoHLIUpWRS8")
+    end
+  end
+
   def test_salt_supports_versionless_hashes
     password = Argon2id::Password.new("$argon2id$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
 
@@ -110,18 +116,6 @@ class TestPassword < Minitest::Test
     assert Argon2id::Password.new(password) == "password"
   end
 
-  def test_extracting_type_from_hash
-    password = Argon2id::Password.new("$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
-
-    assert_equal "argon2id", password.type
-  end
-
-  def test_extracting_type_from_argoni_hash
-    password = Argon2id::Password.new("$argon2i$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
-
-    assert_equal "argon2i", password.type
-  end
-
   def test_extracting_version_from_hash
     password = Argon2id::Password.new("$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
 
@@ -169,4 +163,10 @@ class TestPassword < Minitest::Test
 
     assert_equal 1, password.parallelism
   end
+
+  def test_extracting_output_from_hash
+    password = Argon2id::Password.new("$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4")
+
+    assert_equal "\x9D\xFE\xB9\x10\xE8\v\xAD\x03\x11\xFE\xE2\x0F\x9C\x0E+\x12\xC1y\x87\xB4\xCA\xC9\f.\xF5M[0!\xC6\x8B\xFE".b, password.output
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: argon2id
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: arm64-darwin
 authors:
 - Paul Mucur
@@ -52,8 +52,8 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.25'
-description: Ruby bindings to the reference C implementation of Argon2, the password-hashing
-  function that won the 2015 Password Hashing Competition.
+description: Ruby bindings to Argon2, the password-hashing function that won the 2015
+  Password Hashing Competition.
 email: 
 executables: []
 extensions: []