RubyGems - argon2id - Versions diffs - 0.5.0-x64-mingw-ucrt → 0.7.0-x64-mingw-ucrt - Mend

argon2id 0.5.0-x64-mingw-ucrt → 0.7.0-x64-mingw-ucrt

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +20 -0
data/README.md +35 -8
data/Rakefile +11 -16
data/argon2id.gemspec +3 -3
data/ext/argon2id/argon2id.c +13 -24
data/ext/argon2id/extconf.rb +1 -1
data/lib/{3.1 → argon2id/3.1}/argon2id.so +0 -0
data/lib/{3.2 → argon2id/3.2}/argon2id.so +0 -0
data/lib/{3.3 → argon2id/3.3}/argon2id.so +0 -0
data/lib/argon2id/extension.rb +70 -0
data/lib/argon2id/password.rb +9 -2
data/lib/argon2id/version.rb +1 -1
data/lib/argon2id.rb +2 -65
data/test/argon2id/test_password.rb +548 -0
data/test/test_argon2id.rb +66 -0
metadata +8 -8
data/test/test_hash_encoded.rb +0 -54
data/test/test_password.rb +0 -172
data/test/test_verify.rb +0 -35

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 046246d2626875dc6a452e42067e5a5bc46810d36dcd4cbb3b848ede3050475e
-  data.tar.gz: 77859d74535214733394e760c57a24e4f1ef5bb3c56ce08ed43d7d1018c0844f
+  metadata.gz: fe40a011ddccdbc2ebb6856704b5442180f2414b5ee3101a7953715f891ba0f3
+  data.tar.gz: fe8532d266ac9245174d3de13513c70e957cb1c11f5ceab196a269e8338f4031
 SHA512:
-  metadata.gz: 33cdbc4f20b4abbf01c153c8ad23d5b319ec57244a9170dfbc15875a25de62f93dd2c37929fea7800e54fc338f82631ac89e779fb26af3a6acfee5514393e4cd
-  data.tar.gz: 1142a07f1833a94374c766cbf339528adffb021f36d9fce45bbc974e327c61aef867389bc81662ecbdae71fa3769b44fba3fa79d5e16864a2fb5bfd2a3fba3a6
+  metadata.gz: 1554613d298bedebea3eb86a059be6bd3210cbd9c13fccdfc156d7d874ffeecaaf82f5f8c2e515001684557884c8bfa77d28feb43573de51132e0555bf52b705
+  data.tar.gz: e0bf4231265949e306f9486e45e46975c86107655743cc1c1965b17daa6d146a36bc2701f57af6dbb07a1e6787de6920d2123cd19f3e1457c530d93765c32488

data/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.7.0] - 2024-11-08
+### Fixed
+- Fixed verifying Argon2id encoded hashes without a version number on JRuby
+### Added
+- Added a new `Argon2id::Password.valid_hash?` API for testing if a given
+  encoded hash is a valid Argon2id hash or not (e.g. if you want to check
+  which hashing function was used to store a user's password)
+## [0.6.0] - 2024-11-05
+### Changed
+- Move the internal API to `Argon2id::Password` and make it explicitly private
 ## [0.5.0] - 2024-11-02
 ### Removed
@@ -93,6 +111,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   reference C implementation of Argon2, the password-hashing function that won
   the Password Hashing Competition.
+[0.7.0]: https://github.com/mudge/argon2id/releases/tag/v0.7.0
+[0.6.0]: https://github.com/mudge/argon2id/releases/tag/v0.6.0
 [0.5.0]: https://github.com/mudge/argon2id/releases/tag/v0.5.0
 [0.4.1]: https://github.com/mudge/argon2id/releases/tag/v0.4.1
 [0.4.0]: https://github.com/mudge/argon2id/releases/tag/v0.4.0

data/README.md CHANGED Viewed

@@ -5,7 +5,7 @@ Ruby bindings to [Argon2][], the password-hashing function that won the 2015
 [![Build Status](https://github.com/mudge/argon2id/actions/workflows/tests.yml/badge.svg?branch=main)](https://github.com/mudge/argon2id/actions)
-**Current version:** 0.5.0
+**Current version:** 0.7.0
 **Bundled Argon2 version:** libargon2.1 (20190702)
 ```ruby
@@ -26,6 +26,7 @@ password.salt   #=> "e-\xA7\x04U\x81\xA6{v\xF0x\xED\xCC\xD3\x96\xE3"
 * [Usage](#usage)
     * [Hashing passwords](#hashing-passwords)
     * [Verifying passwords](#verifying-passwords)
+    * [Validating encoded hashes](#validating-encoded-hashes)
     * [Errors](#errors)
 * [Requirements](#requirements)
     * [Native gems](#native-gems)
@@ -55,6 +56,8 @@ password.salt   #=> "e-\xA7\x04U\x81\xA6{v\xF0x\xED\xCC\xD3\x96\xE3"
 — [OWASP Password Storage Cheat Sheet][]
+See also [argon2-cffi's "Why 'just use bcrypt' Is Not the Best Answer (Anymore)"](https://argon2-cffi.readthedocs.io/en/23.1.0/argon2.html#why-just-use-bcrypt-is-not-the-best-answer-anymore).
 ## Usage
 Install argon2id as a dependency:
@@ -147,6 +150,18 @@ password.is_password?("opensesame")    #=> true
 password.is_password?("notopensesame") #=> false
 ```
+> [!CAUTION]
+> `Argon2id::Password#==` only works if the plain text password is on the right, e.g. the following behaviour may be surprising:
+>
+> ```ruby
+> password = Argon2id::Password.create("password")
+> password == "password" #=> true
+> "password" == password #=> false
+> password == password   #=> false
+> ```
+>
+> If you want to avoid this ambiguity, prefer the `Argon2id::Password#is_password?` alias instead.
 The various parts of the encoded hash can be retrieved:
 ```ruby
@@ -160,6 +175,18 @@ password.output
 #=> "\x9D\xFE\xB9\x10\xE8\v\xAD\x03\x11\xFE\xE2\x0F\x9C\x0E+\x12\xC1y\x87\xB4\xCA\xC9\f.\xF5M[0!\xC6\x8B\xFE"
 ```
+### Validating encoded hashes
+If you need to check ahead of time whether an encoded password hash is a valid Argon2id hash (e.g. if you're migrating between hashing functions and need to test what kind of password has been stored for a user), you can use `Argon2id::Password.valid_hash?` like so:
+```ruby
+Argon2id::Password.valid_hash?("$argon2id$v=19$m=65536,t=2,p=1$c29tZXNhbHQ$CTFhFdXPJO1aFaMaO6Mm5c8y7cJHAph8ArZWb2GRPPc")
+#=> true
+Argon2id::Password.valid_hash?("$2a$12$stsRn7Mi9r02.keRyF4OK.Aq4UWOU185lWggfUQfcupAi.b7AI/nS")
+#=> false
+```
 ### Errors
 Any errors returned from Argon2 will be raised as `Argon2id::Error`, e.g.
@@ -201,11 +228,11 @@ notes](https://github.com/mudge/argon2id/releases) for each version and can be
 checked with `sha256sum`, e.g.
 ```console
-$ gem fetch argon2id -v 0.4.1
-Fetching argon2id-0.4.1-arm64-darwin.gem
-Downloaded argon2id-0.4.1-arm64-darwin
-$ sha256sum argon2id-0.4.1-arm64-darwin.gem
-c74c06c2c4ce70d6c3822f05d83bab4ea431dd16ec086c9c856da3c6e0d9bbe9  argon2id-0.4.1-arm64-darwin.gem
+$ gem fetch argon2id -v 0.6.0
+Fetching argon2id-0.6.0-arm64-darwin.gem
+Downloaded argon2id-0.6.0-arm64-darwin
+$ sha256sum argon2id-0.6.0-arm64-darwin.gem
+18f1f04be4b5e7badb4d491762e57874febeeb46c64ce1b0a5e3a75b39b5baeb  argon2id-0.6.0-arm64-darwin.gem
 ```
 [GPG](https://www.gnupg.org/) signatures are attached to each release (the
@@ -215,8 +242,8 @@ from a public keyserver, e.g. `gpg --keyserver keyserver.ubuntu.com --recv-key
 0x39AC3530070E0F75`):
 ```console
-$ gpg --verify argon2id-0.4.1-arm64-darwin.gem.sig argon2id-0.4.1-arm64-darwin.gem
-gpg: Signature made Sat  2 Nov 20:50:54 2024 GMT
+$ gpg --verify argon2id-0.6.0-arm64-darwin.gem.sig argon2id-0.6.0-arm64-darwin.gem
+gpg: Signature made Tue  5 Nov 11:30:47 2024 GMT
 gpg:                using RSA key 702609D9C790F45B577D7BEC39AC3530070E0F75
 gpg: Good signature from "Paul Mucur <mudge@mudge.name>" [unknown]
 gpg:                 aka "Paul Mucur <paul@ghostcassette.com>" [unknown]

data/Rakefile CHANGED Viewed

@@ -20,16 +20,20 @@ ENV["RUBY_CC_VERSION"] = %w[3.3.0 3.2.0 3.1.0 3.0.0 2.7.0 2.6.0].join(":")
 gemspec = Gem::Specification.load("argon2id.gemspec")
-if RUBY_PLATFORM == "java"
-  gemspec.files.reject! { |path| File.fnmatch?("ext/*", path) }
-  gemspec.extensions.clear
-  gemspec.platform = Gem::Platform.new("java")
-  gemspec.required_ruby_version = ">= 3.1.0"
-end
 Gem::PackageTask.new(gemspec).define
+namespace :java do
+  java_gemspec = gemspec.dup
+  java_gemspec.files.reject! { |path| File.fnmatch?("ext/*", path) }
+  java_gemspec.extensions.clear
+  java_gemspec.platform = Gem::Platform.new("java")
+  java_gemspec.required_ruby_version = ">= 3.1.0"
+  Gem::PackageTask.new(java_gemspec).define
+end
 Rake::ExtensionTask.new("argon2id", gemspec) do |e|
+  e.lib_dir = "lib/argon2id"
   e.cross_compile = true
   e.cross_platform = cross_platforms
 end
@@ -57,15 +61,6 @@ namespace :gem do
       SCRIPT
     end
   end
-  desc "Compile gem for JRuby"
-  task :jruby do
-    RakeCompilerDock.sh <<~SCRIPT, rubyvm: "jruby", platform: "jruby", verbose: true
-      gem install bundler --no-document &&
-      bundle &&
-      bundle exec rake gem
-    SCRIPT
-  end
 end
 task default: [:compile, :test]

data/argon2id.gemspec CHANGED Viewed

@@ -45,11 +45,11 @@ Gem::Specification.new do |s|
     "ext/argon2id/libargon2/thread.c",
     "ext/argon2id/libargon2/thread.h",
     "lib/argon2id.rb",
+    "lib/argon2id/extension.rb",
     "lib/argon2id/password.rb",
     "lib/argon2id/version.rb",
-    "test/test_hash_encoded.rb",
-    "test/test_password.rb",
-    "test/test_verify.rb"
+    "test/argon2id/test_password.rb",
+    "test/test_argon2id.rb"
   ]
   s.rdoc_options = ["--main", "README.md"]

data/ext/argon2id/argon2id.c CHANGED Viewed

@@ -5,21 +5,11 @@
 #define UNUSED(x) (void)(x)
-VALUE mArgon2id, cArgon2idError;
-/* call-seq: hash_encoded(t_cost, m_cost, parallelism, pwd, salt, output_len)
- *
- * Hashes a password with Argon2id, producing an encoded hash.
- *
- * - +t_cost+: number of iterations
- * - +m_cost+: sets memory usage to +m_cost+ kibibytes
- * - +parallelism+: number of threads and compute lanes
- * - +pwd+: the password
- * - +salt+: the salt
- * - +output_len+: desired length of the hash in bytes
- */
+VALUE mArgon2id, cArgon2idError, cArgon2idPassword;
+ID id_encoded;
 static VALUE
-rb_argon2id_hash_encoded(VALUE module, VALUE iterations, VALUE memory, VALUE threads, VALUE pwd, VALUE salt, VALUE hashlen)
+rb_argon2id_hash_encoded(VALUE klass, VALUE iterations, VALUE memory, VALUE threads, VALUE pwd, VALUE salt, VALUE hashlen)
 {
   uint32_t t_cost, m_cost, parallelism;
   size_t encodedlen, outlen;
@@ -27,7 +17,7 @@ rb_argon2id_hash_encoded(VALUE module, VALUE iterations, VALUE memory, VALUE thr
   int result;
   VALUE hash;
-  UNUSED(module);
+  UNUSED(klass);
   t_cost = FIX2INT(iterations);
   m_cost = FIX2INT(memory);
@@ -53,16 +43,12 @@ rb_argon2id_hash_encoded(VALUE module, VALUE iterations, VALUE memory, VALUE thr
   return hash;
 }
-/* call-seq: verify(encoded, pwd)
- *
- * Verifies a password against an encoded string.
- */
 static VALUE
-rb_argon2id_verify(VALUE module, VALUE encoded, VALUE pwd) {
+rb_argon2id_verify(VALUE self, VALUE pwd) {
   int result;
+  VALUE encoded;
-  UNUSED(module);
+  encoded = rb_ivar_get(self, id_encoded);
   result = argon2id_verify(StringValueCStr(encoded), StringValuePtr(pwd), RSTRING_LEN(pwd));
   if (result == ARGON2_OK) {
     return Qtrue;
@@ -80,8 +66,11 @@ rb_argon2id_verify(VALUE module, VALUE encoded, VALUE pwd) {
 void
 Init_argon2id(void)
 {
+  id_encoded = rb_intern("@encoded");
   mArgon2id = rb_define_module("Argon2id");
   cArgon2idError = rb_define_class_under(mArgon2id, "Error", rb_eStandardError);
-  rb_define_singleton_method(mArgon2id, "hash_encoded", rb_argon2id_hash_encoded, 6);
-  rb_define_singleton_method(mArgon2id, "verify", rb_argon2id_verify, 2);
+  cArgon2idPassword = rb_define_class_under(mArgon2id, "Password", rb_cObject);
+  rb_define_private_method(rb_singleton_class(cArgon2idPassword), "hash_encoded", rb_argon2id_hash_encoded, 6);
+  rb_define_private_method(cArgon2idPassword, "verify", rb_argon2id_verify, 1);
 }

data/ext/argon2id/extconf.rb CHANGED Viewed

@@ -14,4 +14,4 @@ $CPPFLAGS << " " << "-I$(srcdir)/libargon2"
 have_header("stdint.h")
 have_header("argon2.h")
-create_makefile "argon2id"
+create_makefile "argon2id/argon2id"

data/lib/{3.1 → argon2id/3.1}/argon2id.so RENAMED Viewed

Binary file

data/lib/{3.2 → argon2id/3.2}/argon2id.so RENAMED Viewed

Binary file

data/lib/{3.3 → argon2id/3.3}/argon2id.so RENAMED Viewed

Binary file

data/lib/argon2id/extension.rb ADDED Viewed

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+if RUBY_PLATFORM == "java"
+  require "java"
+  require "openssl"
+  module Argon2id
+    Error = Class.new(StandardError)
+    class Password
+      def self.hash_encoded(t_cost, m_cost, parallelism, pwd, salt, hashlen)
+        raise Error, "Salt is too short" if salt.empty?
+        salt_bytes = salt.to_java_bytes
+        output = Java::byte[hashlen].new
+        params = Java::OrgBouncycastleCryptoParams::Argon2Parameters::Builder
+          .new(Java::OrgBouncycastleCryptoParams::Argon2Parameters::ARGON2_id)
+          .with_salt(salt_bytes)
+          .with_parallelism(parallelism)
+          .with_memory_as_kb(m_cost)
+          .with_iterations(t_cost)
+          .build
+        generator = Java::OrgBouncycastleCryptoGenerators::Argon2BytesGenerator.new
+        generator.init(params)
+        generator.generate_bytes(pwd.to_java_bytes, output)
+        encoder = Java::JavaUtil::Base64.get_encoder.without_padding
+        encoded_salt = encoder.encode_to_string(salt_bytes)
+        encoded_output = encoder.encode_to_string(output)
+        "$argon2id$v=19$m=#{m_cost},t=#{t_cost},p=#{parallelism}" \
+          "$#{encoded_salt}$#{encoded_output}"
+      rescue Java::JavaLang::IllegalStateException => e
+        raise Error, e.message
+      end
+      private_class_method :hash_encoded
+      private
+      def verify(pwd)
+        other_output = Java::byte[output.bytesize].new
+        params = Java::OrgBouncycastleCryptoParams::Argon2Parameters::Builder
+          .new(Java::OrgBouncycastleCryptoParams::Argon2Parameters::ARGON2_id)
+          .with_salt(salt.to_java_bytes)
+          .with_parallelism(parallelism)
+          .with_memory_as_kb(m_cost)
+          .with_iterations(t_cost)
+          .with_version(version)
+          .build
+        generator = Java::OrgBouncycastleCryptoGenerators::Argon2BytesGenerator.new
+        generator.init(params)
+        generator.generate_bytes(pwd.to_java_bytes, other_output)
+        Java::OrgBouncycastleUtil::Arrays.constant_time_are_equal?(
+          output.to_java_bytes,
+          other_output
+        )
+      end
+    end
+  end
+else
+  begin
+    ::RUBY_VERSION =~ /(\d+\.\d+)/
+    require_relative "#{Regexp.last_match(1)}/argon2id"
+  rescue LoadError
+    require "argon2id/argon2id"
+  end
+end

data/lib/argon2id/password.rb CHANGED Viewed

@@ -89,7 +89,7 @@ module Argon2id
     #   #=> "$argon2id$v=19$m=12288,t=3,p=1$JigW7fFn+N3NImt+aWpuzw$eM5F1cKeIBALNTU6LuWra75Zi2nymGvQLWzJzVFv0Nc"
     def self.create(pwd, t_cost: Argon2id.t_cost, m_cost: Argon2id.m_cost, parallelism: Argon2id.parallelism, salt_len: Argon2id.salt_len, output_len: Argon2id.output_len)
       new(
-        Argon2id.hash_encoded(
+        hash_encoded(
           Integer(t_cost),
           Integer(m_cost),
           Integer(parallelism),
@@ -100,6 +100,13 @@ module Argon2id
       )
     end
+    # Check an encoded hash is a valid Argon2id hash.
+    #
+    # Returns true if so and false if not.
+    def self.valid_hash?(encoded)
+      PATTERN.match?(String(encoded))
+    end
     # Create a new Password with the given encoded password hash.
     #
     #   password = Argon2id::Password.new("$argon2id$v=19$m=19456,t=2,p=1$FI8yp1gXbthJCskBlpKPoQ$nOfCCpS2r+I8GRN71cZND4cskn7YKBNzuHUEO3YpY2s")
@@ -127,7 +134,7 @@ module Argon2id
     #   password == "password"    #=> true
     #   password == "notpassword" #=> false
     def ==(other)
-      Argon2id.verify(encoded, String(other))
+      verify(String(other))
     end
     alias_method :is_password?, :==

data/lib/argon2id/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Argon2id
-  VERSION = "0.5.0"
+  VERSION = "0.7.0"
 end

data/lib/argon2id.rb CHANGED Viewed

@@ -1,18 +1,8 @@
 # frozen_string_literal: true
-if RUBY_PLATFORM == "java"
-  require "openssl"
-else
-  begin
-    ::RUBY_VERSION =~ /(\d+\.\d+)/
-    require_relative "#{Regexp.last_match(1)}/argon2id.so"
-  rescue LoadError
-    require "argon2id.so"
-  end
-end
-require "argon2id/version"
+require "argon2id/extension"
 require "argon2id/password"
+require "argon2id/version"
 module Argon2id
   # The default "time cost" of 2 iterations recommended by OWASP.
@@ -52,57 +42,4 @@ module Argon2id
     # The default desired length of the hash in bytes used by Argon2id::Password.create
     attr_accessor :output_len
   end
-  if RUBY_PLATFORM == "java"
-    Error = Class.new(StandardError)
-    def self.hash_encoded(t_cost, m_cost, parallelism, pwd, salt, hashlen)
-      output = hash_raw(t_cost, m_cost, parallelism, pwd, salt, hashlen)
-      encoder = Java::JavaUtil::Base64.get_encoder.without_padding
-      encoded_salt = encoder.encode_to_string(salt.to_java_bytes)
-      encoded_output = encoder.encode_to_string(output)
-      "$argon2id$v=19$m=#{Integer(m_cost)},t=#{Integer(t_cost)}," \
-        "p=#{Integer(parallelism)}$#{encoded_salt}$#{encoded_output}"
-    end
-    def self.verify(encoded, pwd)
-      password = Password.new(encoded)
-      other_raw = hash_raw(
-        password.t_cost,
-        password.m_cost,
-        password.parallelism,
-        String(pwd),
-        password.salt,
-        password.output.bytesize
-      )
-      Java::OrgBouncycastleUtil::Arrays.constant_time_are_equal(
-        password.output.to_java_bytes,
-        other_raw
-      )
-    end
-    def self.hash_raw(t_cost, m_cost, parallelism, pwd, salt, hashlen)
-      raise Error, "Salt is too short" if String(salt).empty?
-      hash = Java::byte[Integer(hashlen)].new
-      params = Java::OrgBouncycastleCryptoParams::Argon2Parameters::Builder
-        .new(Java::OrgBouncycastleCryptoParams::Argon2Parameters::ARGON2_id)
-        .with_salt(String(salt).to_java_bytes)
-        .with_parallelism(Integer(parallelism))
-        .with_memory_as_kb(Integer(m_cost))
-        .with_iterations(Integer(t_cost))
-        .build
-      generator = Java::OrgBouncycastleCryptoGenerators::Argon2BytesGenerator.new
-      generator.init(params)
-      generator.generate_bytes(String(pwd).to_java_bytes, hash)
-      hash
-    rescue Java::JavaLang::IllegalStateException => e
-      raise Error, e.message
-    end
-  end
 end