argon2id 0.8.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5cc09675c06311083113abdaf6682c6096b7a0c465f803a95e14005421f43ccf
-  data.tar.gz: cd357c083ca7c2d2b21b92ab23098532342284b578b957ad56b05c97eb9cfe77
+  metadata.gz: e0c1f14a040ebdc7471675955d1e5c724cbed8cba788fd6114531dc72a27a326
+  data.tar.gz: 7d11467702a3302cc0f52f9788ab09067e7e06887d11626d06d373356b0f2854
 SHA512:
-  metadata.gz: 52edf8f69ef92b3eff033c256c406ae6f7e89b8195669329d8517a851a9bdf56f8d518f37eb87bdbf35eb750cf7963b059d0c5533283d4a66173b0203a1761ba
-  data.tar.gz: d5c7b643c790197a06386cbf0920f96eeeed6653de46bc676ed286356d8a3fdc77daa2f5acead7db77db50458d178b6a5c5a6acc29831db01617d2ddc7bfe7ae
+  metadata.gz: 185378fff2e71104dcd6b6a338286bb6e3636164c1acf7f273e7cfc03128e148d138d4a610dc6ae22c25ccf90e848e0801be229846e86367097eabce07def840
+  data.tar.gz: 0cf1f354e2194e27c781aadc9d3cb9903ed0dd86062af51e8b85778305b0a569e976e6589fcdb17783c32c88cd345f474ddc86e5c165004aadf889d51a5f4f4b

data/CHANGELOG.md

@@ -5,6 +5,29 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.10.0] - 2026-04-06
+
+### Changed
+
+- Hashing and verifying passwords no longer holds the Ruby Global VM Lock
+  during the intentionally expensive computation of the Argon2id hash, allowing
+  other threads to do work at the same time.
+- Argon2id::Password objects, their encoded password hash, salt, and hash
+  output strings are now all frozen to prevent mutation. Inputs are also now
+  frozen ASAP during hashing and verification to prevent mutation before
+  passing to the internal C/Java implementation of Argon2.
+- The extension is now flagged as safe to use with Ractors.
+
+## [0.9.0] - 2025-12-30
+
+### Added
+- Add support for Ruby 4.0 in precompiled, native gems.
+
+### Removed
+- Remove support and native gems for Ruby 2.6, 2.7, and 3.0.
+- Remove native gems for 32-bit platforms, specifically x86-linux-gnu,
+  x86-linux-musl, and x86-mingw32
+
 ## [0.8.0] - 2024-12-29
 
 ### Added
@@ -141,6 +164,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   reference C implementation of Argon2, the password-hashing function that won
   the Password Hashing Competition.
 
+[0.10.0]: https://github.com/mudge/argon2id/releases/tag/v0.10.0
+[0.9.0]: https://github.com/mudge/argon2id/releases/tag/v0.9.0
 [0.8.0]: https://github.com/mudge/argon2id/releases/tag/v0.8.0
 [0.8.0.rc1]: https://github.com/mudge/argon2id/releases/tag/v0.8.0.rc1
 [0.7.0]: https://github.com/mudge/argon2id/releases/tag/v0.7.0

data/README.md

@@ -5,7 +5,7 @@ Ruby bindings to [Argon2][], the password-hashing function that won the 2015
 
 [![Build Status](https://github.com/mudge/argon2id/actions/workflows/tests.yml/badge.svg?branch=main)](https://github.com/mudge/argon2id/actions)
 
-**Current version:** 0.8.0  
+**Current version:** 0.10.0  
 **Bundled Argon2 version:** libargon2.1 (20190702)
 
 ```ruby
@@ -257,8 +257,8 @@ User.find_by(name: "alice")&.authenticate("password") #=> user
 
 This gem requires any of the following to run:
 
-* [Ruby](https://www.ruby-lang.org/en/) 2.6 to 3.4
-* [JRuby](https://www.jruby.org) 9.4
+* [Ruby](https://www.ruby-lang.org/en/) 3.1 to 4.0
+* [JRuby](https://www.jruby.org) 9.4 to 10.0
 * [TruffleRuby](https://www.graalvm.org/ruby/) 24.1
 
 > [!NOTE]
@@ -271,10 +271,10 @@ This gem requires any of the following to run:
 Where possible, a pre-compiled native gem will be provided for the following platforms:
 
 * Linux
-    * `aarch64-linux`, `arm-linux`, `x86-linux`, `x86_64-linux` (requires [glibc](https://www.gnu.org/software/libc/) 2.29+, RubyGems 3.3.22+ and Bundler 2.3.21+)
+    * `aarch64-linux`, `arm-linux`, `x86_64-linux` (requires [glibc](https://www.gnu.org/software/libc/) 2.29+, RubyGems 3.3.22+ and Bundler 2.3.21+)
     * [musl](https://musl.libc.org/)-based systems such as [Alpine](https://alpinelinux.org) are supported with Bundler 2.5.6+
 * macOS `x86_64-darwin` and `arm64-darwin`
-* Windows `x64-mingw32` and `x64-mingw-ucrt`
+* Windows 2022+ `x64-mingw-ucrt`
 * Java: any platform running JRuby 9.4 or higher
 
 ### Verifying the gems

data/Rakefile

@@ -11,16 +11,12 @@ cross_platforms = %w[
   arm-linux-musl
   arm64-darwin
   x64-mingw-ucrt
-  x64-mingw32
-  x86-linux-gnu
-  x86-linux-musl
-  x86-mingw32
   x86_64-darwin
   x86_64-linux-gnu
   x86_64-linux-musl
 ].freeze
 
-ENV["RUBY_CC_VERSION"] = %w[3.4.0 3.3.5 3.2.0 3.1.0 3.0.0 2.7.0 2.6.0].join(":")
+RakeCompilerDock.set_ruby_cc_version("~> 3.1", "~> 4.0")
 
 gemspec = Gem::Specification.load("argon2id.gemspec")
 
@@ -31,7 +27,6 @@ namespace :java do
   java_gemspec.files.reject! { |path| File.fnmatch?("ext/*", path) }
   java_gemspec.extensions.clear
   java_gemspec.platform = Gem::Platform.new("java")
-  java_gemspec.required_ruby_version = ">= 3.1.0"
 
   Gem::PackageTask.new(java_gemspec).define
 end
@@ -60,7 +55,7 @@ namespace :gem do
     task platform do
       RakeCompilerDock.sh <<~SCRIPT, platform: platform, verbose: true
         gem install bundler --no-document &&
-        bundle &&
+        bundle install &&
         bundle exec rake native:#{platform} pkg/#{gemspec.full_name}-#{Gem::Platform.new(platform)}.gem PATH="/usr/local/bin:$PATH"
       SCRIPT
     end

data/argon2id.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |s|
     "source_code_uri" => "https://github.com/mudge/argon2id",
     "rubygems_mfa_required" => "true"
   }
-  s.required_ruby_version = ">= 2.6.0"
+  s.required_ruby_version = ">= 3.1.0"
   s.extensions = ["ext/argon2id/extconf.rb"]
   s.files = [
     "CHANGELOG.md",
@@ -53,7 +53,7 @@ Gem::Specification.new do |s|
   ]
   s.rdoc_options = ["--main", "README.md"]
 
-  s.add_development_dependency("rake-compiler", "~> 1.2")
-  s.add_development_dependency("rake-compiler-dock", "~> 1.7")
+  s.add_development_dependency("rake-compiler", "~> 1.3")
+  s.add_development_dependency("rake-compiler-dock", "~> 1.11")
   s.add_development_dependency("minitest", "~> 5.25")
 end

data/ext/argon2id/argon2id.c

@@ -1,4 +1,5 @@
 #include <ruby.h>
+#include <ruby/thread.h>
 #include <stdint.h>
 
 #include "argon2.h"
@@ -8,64 +9,176 @@
 VALUE mArgon2id, cArgon2idError, cArgon2idPassword;
 ID id_encoded;
 
+struct hash_encoded_args {
+  uint32_t t_cost;
+  uint32_t m_cost;
+  uint32_t parallelism;
+  const char *pwd;
+  size_t pwdlen;
+  const char *salt;
+  size_t saltlen;
+  uint32_t outlen;
+  char *encoded;
+  size_t encodedlen;
+  int result;
+};
+
+static void *
+nogvl_hash_encoded(void *data)
+{
+  struct hash_encoded_args *args = data;
+  args->result = argon2id_hash_encoded(args->t_cost, args->m_cost,
+    args->parallelism, args->pwd, args->pwdlen, args->salt, args->saltlen,
+    args->outlen, args->encoded, args->encodedlen);
+
+  return NULL;
+}
+
+struct verify_args {
+  const char *encoded;
+  const char *pwd;
+  size_t pwdlen;
+  int result;
+};
+
+static void *
+nogvl_verify(void *data)
+{
+  struct verify_args *args = data;
+  args->result = argon2id_verify(args->encoded, args->pwd, args->pwdlen);
+
+  return NULL;
+}
+
+struct hash_encoded_data {
+  char *encoded;
+  VALUE pwd;
+  VALUE salt;
+  struct hash_encoded_args args;
+};
+
+static VALUE
+hash_encoded_body(VALUE arg)
+{
+  struct hash_encoded_data *data = (struct hash_encoded_data *)arg;
+
+  rb_thread_call_without_gvl(nogvl_hash_encoded, &data->args, NULL, NULL);
+
+  if (data->args.result != ARGON2_OK) {
+    rb_raise(cArgon2idError, "%s", argon2_error_message(data->args.result));
+  }
+
+  return rb_str_new_cstr(data->encoded);
+}
+
+static VALUE
+hash_encoded_finalize(VALUE arg)
+{
+  struct hash_encoded_data *data = (struct hash_encoded_data *)arg;
+
+  RB_GC_GUARD(data->pwd);
+  RB_GC_GUARD(data->salt);
+  free(data->encoded);
+
+  return Qnil;
+}
+
 static VALUE
 rb_argon2id_hash_encoded(VALUE klass, VALUE iterations, VALUE memory, VALUE threads, VALUE pwd, VALUE salt, VALUE hashlen)
 {
-  uint32_t t_cost, m_cost, parallelism;
-  size_t encodedlen, outlen;
-  char * encoded;
-  int result;
-  VALUE hash;
+  uint32_t t_cost, m_cost, parallelism, outlen;
+  size_t encodedlen;
+  long saltlen;
+  struct hash_encoded_data data;
 
   UNUSED(klass);
 
-  t_cost = FIX2INT(iterations);
-  m_cost = FIX2INT(memory);
-  parallelism = FIX2INT(threads);
-  outlen = FIX2INT(hashlen);
+  /* Coerce pwd and salt to strings, then freeze to protect against mutation. */
+  StringValue(pwd);
+  pwd = rb_str_new_frozen(pwd);
+  StringValue(salt);
+  salt = rb_str_new_frozen(salt);
 
-  encodedlen = argon2_encodedlen(t_cost, m_cost, parallelism, (uint32_t)RSTRING_LEN(salt), (uint32_t)outlen, Argon2_id);
-  encoded = malloc(encodedlen);
-  if (!encoded) {
-    rb_raise(rb_eNoMemError, "not enough memory to allocate for encoded password");
-  }
+  t_cost = NUM2UINT(iterations);
+  m_cost = NUM2UINT(memory);
+  parallelism = NUM2UINT(threads);
+  outlen = NUM2UINT(hashlen);
 
-  result = argon2id_hash_encoded(t_cost, m_cost, parallelism, StringValuePtr(pwd), RSTRING_LEN(pwd), StringValuePtr(salt), RSTRING_LEN(salt), outlen, encoded, encodedlen);
+  if (RSTRING_LEN(pwd) > UINT32_MAX) {
+    rb_raise(rb_eRangeError, "password too long");
+  }
 
-  if (result != ARGON2_OK) {
-    free(encoded);
-    rb_raise(cArgon2idError, "%s", argon2_error_message(result));
+  saltlen = RSTRING_LEN(salt);
+  if (saltlen > UINT32_MAX) {
+    rb_raise(rb_eRangeError, "salt too long");
   }
 
-  hash = rb_str_new_cstr(encoded);
-  free(encoded);
+  encodedlen = argon2_encodedlen(t_cost, m_cost, parallelism, (uint32_t)saltlen, outlen, Argon2_id);
+  data.encoded = malloc(encodedlen);
+  if (!data.encoded) {
+    rb_raise(rb_eNoMemError, "not enough memory to allocate for encoded password");
+  }
 
-  return hash;
+  data.pwd = pwd;
+  data.salt = salt;
+  data.args.result = ARGON2_MISSING_ARGS;
+  data.args.t_cost = t_cost;
+  data.args.m_cost = m_cost;
+  data.args.parallelism = parallelism;
+  data.args.pwd = RSTRING_PTR(pwd);
+  data.args.pwdlen = RSTRING_LEN(pwd);
+  data.args.salt = RSTRING_PTR(salt);
+  data.args.saltlen = RSTRING_LEN(salt);
+  data.args.outlen = outlen;
+  data.args.encoded = data.encoded;
+  data.args.encodedlen = encodedlen;
+
+  return rb_ensure(hash_encoded_body, (VALUE)&data, hash_encoded_finalize, (VALUE)&data);
 }
 
 static VALUE
 rb_argon2id_verify(VALUE self, VALUE pwd) {
-  int result;
   VALUE encoded;
+  struct verify_args args;
 
   encoded = rb_ivar_get(self, id_encoded);
-  result = argon2id_verify(StringValueCStr(encoded), StringValuePtr(pwd), RSTRING_LEN(pwd));
-  if (result == ARGON2_OK) {
+
+  /* Coerce encoded and freeze it before doing the same to pwd. The order here
+   * is important to prevent pwd#to_str mutating encoded.
+   */
+  StringValueCStr(encoded);
+  encoded = rb_str_new_frozen(encoded);
+  StringValue(pwd);
+  pwd = rb_str_new_frozen(pwd);
+
+  args.result = ARGON2_MISSING_ARGS;
+  args.encoded = RSTRING_PTR(encoded);
+  args.pwd = RSTRING_PTR(pwd);
+  args.pwdlen = RSTRING_LEN(pwd);
+
+  rb_thread_call_without_gvl(nogvl_verify, &args, NULL, NULL);
+
+  RB_GC_GUARD(encoded);
+  RB_GC_GUARD(pwd);
+
+  if (args.result == ARGON2_OK) {
     return Qtrue;
   }
-  if (result == ARGON2_VERIFY_MISMATCH) {
+  if (args.result == ARGON2_VERIFY_MISMATCH) {
     return Qfalse;
   }
-  if (result == ARGON2_DECODING_FAIL || result == ARGON2_DECODING_LENGTH_FAIL) {
-    rb_raise(rb_eArgError, "%s", argon2_error_message(result));
+  if (args.result == ARGON2_DECODING_FAIL || args.result == ARGON2_DECODING_LENGTH_FAIL) {
+    rb_raise(rb_eArgError, "%s", argon2_error_message(args.result));
   }
 
-  rb_raise(cArgon2idError, "%s", argon2_error_message(result));
+  rb_raise(cArgon2idError, "%s", argon2_error_message(args.result));
 }
 
 void
 Init_argon2id(void)
 {
+  rb_ext_ractor_safe(true);
+
   id_encoded = rb_intern("@encoded");
 
   mArgon2id = rb_define_module("Argon2id");

data/lib/argon2id/extension.rb

@@ -10,6 +10,7 @@ if RUBY_PLATFORM == "java"
     class Password
       def self.hash_encoded(t_cost, m_cost, parallelism, pwd, salt, hashlen)
         raise Error, "Salt is too short" if salt.empty?
+        raise Error, "Memory cost is too small" if m_cost < 8
 
         salt_bytes = salt.to_java_bytes
         output = Java::byte[hashlen].new

data/lib/argon2id/password.rb

@@ -115,13 +115,14 @@ module Argon2id
     def initialize(encoded)
       raise ArgumentError, "invalid hash" unless PATTERN =~ String(encoded)
 
-      @encoded = $&
+      @encoded = $&.freeze
       @version = Integer($1 || 0x10)
       @m_cost = Integer($2)
       @t_cost = Integer($3)
       @parallelism = Integer($4)
-      @salt = $5.unpack1("m")
-      @output = $6.unpack1("m")
+      @salt = $5.unpack1("m").freeze
+      @output = $6.unpack1("m").freeze
+      freeze
     end
 
     # Return the encoded password hash.

data/lib/argon2id/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Argon2id
-  VERSION = "0.8.0"
+  VERSION = "0.10.0"
 end

data/test/argon2id/test_password.rb

@@ -188,6 +188,42 @@ class TestPassword < Minitest::Test
     assert password == "password"
   end
 
+  def test_new_password_is_frozen
+    password = Argon2id::Password.new(
+      "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ" \
+      "$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4"
+    )
+
+    assert password.frozen?
+  end
+
+  def test_encoded_is_frozen
+    password = Argon2id::Password.new(
+      "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ" \
+      "$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4"
+    )
+
+    assert password.encoded.frozen?
+  end
+
+  def test_salt_is_frozen
+    password = Argon2id::Password.new(
+      "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ" \
+      "$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4"
+    )
+
+    assert password.salt.frozen?
+  end
+
+  def test_output_is_frozen
+    password = Argon2id::Password.new(
+      "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ" \
+      "$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4"
+    )
+
+    assert password.output.frozen?
+  end
+
   def test_encoded_returns_the_full_encoded_hash
     password = Argon2id::Password.new(
       "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ" \
@@ -526,6 +562,12 @@ class TestPassword < Minitest::Test
     Argon2id.output_len = Argon2id::DEFAULT_OUTPUT_LEN
   end
 
+  def test_create_password_is_frozen
+    password = Argon2id::Password.create("password")
+
+    assert password.frozen?
+  end
+
   def test_create_password_equals_correct_password
     password = Argon2id::Password.create("password")
 
@@ -538,6 +580,31 @@ class TestPassword < Minitest::Test
     refute password == "differentpassword"
   end
 
+  def test_create_is_thread_safe
+    threads = 10.times.map do |i|
+      Thread.new(i) do |n|
+        password = Argon2id::Password.create("password-#{n}", t_cost: 2, m_cost: 256, parallelism: 1)
+        assert password == "password-#{n}"
+      end
+    end
+
+    threads.each(&:value)
+  end
+
+  def test_verify_is_thread_safe
+    hash = Argon2id::Password.create("password", t_cost: 2, m_cost: 256, parallelism: 1).to_s
+
+    threads = 10.times.map do |i|
+      Thread.new do
+        password = Argon2id::Password.new(hash)
+        assert password == "password"
+        refute password == "wrong"
+      end
+    end
+
+    threads.each(&:value)
+  end
+
   def test_hashing_password_verifies_correct_password
     hash = Argon2id::Password.create("password").to_s
     password = Argon2id::Password.new(hash)

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: argon2id
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.10.0
 platform: ruby
 authors:
 - Paul Mucur
 bindir: bin
 cert_chain: []
-date: 2024-12-29 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake-compiler
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake-compiler-dock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.11'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.11'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -106,14 +106,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.6.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 4.0.6
 specification_version: 4
 summary: Ruby bindings to Argon2
 test_files: []