libpasta 0.0.5

data/ext/pasta-bindings/libpasta/LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Sam Scott
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/ext/pasta-bindings/libpasta/Makefile

@@ -0,0 +1,27 @@
+VERSION = 0.0.5
+
+all: libpasta.so libpasta.a
+
+clean:
+	rm -rf build/
+
+force:
+	cargo clean --manifest-path libpasta-capi/Cargo.toml
+	make clean
+	make default
+
+libpasta: Cargo.toml libpasta-capi/Cargo.toml
+	cargo build --release --manifest-path libpasta-capi/Cargo.toml
+
+libpasta.%: libpasta
+	mkdir -p build
+	cp libpasta-capi/target/release/$@ build/$@
+
+install: libpasta.so
+	sudo install -D -m0755 build/libpasta.so /usr/lib/libpasta.so.${VERSION}
+	sudo ln -sf /usr/lib/libpasta.so.${VERSION} /usr/lib/libpasta.so
+
+uninstall:
+	sudo rm /usr/lib/libpasta.so.$(VERSION)
+
+.PHONY: clean uninstall

data/ext/pasta-bindings/libpasta/README.md

@@ -0,0 +1,78 @@
+libpasta - Password Storage Algorithms
+===================================
+
+[![Build Status][build_badge]][build_status]
+[![Code Coverage][coverage_badge]][coverage_report]
+
+#### _Making Password Painless_
+
+This library aims to be a all-in-one solution for password storage. In
+particular, we aim to provide:
+
+ - Easy-to-use password storage with sane defaults.
+ - Tools to provide parameter tuning for different use cases.
+ - Automatic migration of password hashes to new algorithms.
+
+
+## Introduction
+
+libpasta is designed to be as simple to use as possible. Most users would rather
+not have to choose which password algorithm to use, nor understand what 
+are the best parameter choices. 
+
+Therefore, we take great care to make this all opaque to the user:
+
+```rust
+    let password = "hunter2".owned();
+    let hash = hash_password(password);
+    // store hash in database
+    // ... time passes, user returns ...
+    let password = "hunter2".owned();
+    if verify_password(password, &hash) {
+        // do something
+    }
+```
+
+## Installation
+
+To build the `libpasta` system library, simply run `make`. This outputs
+a `build/libpasta.so` file (or system-appropriate filename).
+
+You can also try running `make install` to automatically move it to the correct
+location.
+
+The library is generated as a result of building [libpasta-capi](libpasta-capi/),
+which is a C-API wrapper built around the Rust code.
+
+### The rest of this README is dedicated to developing the code. For more about the library, and examples, please see: https://libpasta.github.io/ or the [documentation](https://docs.rs/libpasta/).
+
+## Roadmap
+
+libpasta is still currently in development. The current version is `0.0.1`
+representing a pre-release. After gathering some initial feedback we will
+move to `0.1.0` release, at which point libpasta will be ready to use in 
+test environments. We are targetting a stable `1.0.0` release once the API
+is stable, and testing reveals no major issues.
+
+## Contributing
+
+libpasta is still in its infancy, and the best way to contribute right now is
+to start testing it in new projects.
+
+Please feel free to open new issues or pull requests for any bugs found, feature
+requests, or general suggestions.
+
+We very much welcome any contributions, and simply ask for patience and civility
+when dealing with any disagreements or problems.
+
+## License
+
+libpasta is licensed under the MIT license: [License](license).
+
+
+[build_badge]: https://travis-ci.org/libpasta/libpasta.svg?branch=master
+[build_status]: https://travis-ci.org/libpasta/libpasta
+[coverage_badge]: https://codecov.io/gh/libpasta/libpasta/graph/badge.svg
+[coverage_report]: https://codecov.io/gh/libpasta/libpasta/
+[documentation]: https://libpasta.github.io/doc/libpasta/
+[license]: LICENSE.md

data/ext/pasta-bindings/libpasta/benches/bench.rs

@@ -0,0 +1,125 @@
+#![feature(test)]
+
+extern crate argon2rs;
+extern crate cargon;
+extern crate libpasta;
+extern crate serde_mcf;
+extern crate test;
+extern crate time;
+use test::Bencher;
+
+
+use libpasta::primitives::{Argon2, Scrypt, Primitive};
+use libpasta::hashing::Algorithm;
+
+#[bench]
+fn empty(b: &mut Bencher) {
+    b.iter(|| 1)
+}
+
+use std::fs::File;
+
+#[bench]
+fn raw_argon2(_b: &mut Bencher) {
+    let _f1 = File::create("native.txt").unwrap();
+    let _f2 = File::create("ffi.txt").unwrap();
+    let reps = 10;
+    let password = [0; 16];
+    let salt = [1; 16];
+    let t_cost = 3;
+    let thread_test = [1, 2, 4, 8];
+    let mut out = [0u8; 32];
+    let mut m_cost = 1 << 10;
+    while m_cost <= 1 << 22 {
+        for threads in &thread_test {
+            let alg = argon2rs::Argon2::new(t_cost, *threads, m_cost, argon2rs::Variant::Argon2i)
+                .unwrap();
+            let mut alg_ffi = mk_cargon(&alg, &mut out, &password, &salt, &[], &[]);
+            let prim: Primitive = Argon2::new(t_cost, *threads, m_cost);
+            let pastalg = Algorithm::Single(prim);
+
+            let start = time::precise_time_ns();
+            for _ in 0..reps {
+                alg.hash(&mut out, &password, &salt, &[], &[]);
+            }
+            let end = time::precise_time_ns();
+            let native = (end - start) as f64;
+
+            let start = time::precise_time_ns();
+            for _ in 0..reps {
+                unsafe {
+                    cargon::argon2_ctx(&mut alg_ffi, argon2rs::Variant::Argon2i as usize);
+                }
+            }
+            let end = time::precise_time_ns();
+            let ffi = (end - start) as f64;
+
+            let start = time::precise_time_ns();
+            for _ in 0..reps {
+                let _ = serde_mcf::to_string(&pastalg.hash("hunter2"));
+            }
+            let end = time::precise_time_ns();
+            let libp = (end - start) as f64;
+
+            println!("{} {} iterations  {} MiB {} threads ... {} reps",
+                     "Argon2i",
+                     t_cost,
+                     m_cost / 1024,
+                     threads,
+                     reps);
+            println!("Native:   {:.4} seconds", native / 1_000_000_000f64);
+            println!("libpasta: {:.4} seconds", libp / 1_000_000_000f64);
+            println!("FFI:      {:.4} seconds\n", ffi / 1_000_000_000f64);
+        }
+        m_cost <<= 1;
+
+    }
+}
+
+
+#[bench]
+fn pasta_hash_static(b: &mut Bencher) {
+    let password = "hunter2";
+    b.iter(|| libpasta::hash_password(password))
+}
+
+#[bench]
+fn pasta_hash_dyn(b: &mut Bencher) {
+    let password = "hunter2";
+    let alg = Algorithm::Single(Scrypt::new(14, 8, 1));
+    b.iter(|| {
+        alg.hash(password)
+    })
+}
+
+use std::ptr;
+fn mk_cargon(a2: &argon2rs::Argon2,
+             out: &mut [u8],
+             p: &[u8],
+             s: &[u8],
+             k: &[u8],
+             x: &[u8])
+             -> cargon::CargonContext {
+    let (_, kib, passes, lanes) = a2.params();
+    cargon::CargonContext {
+        out: out.as_mut_ptr(),
+        outlen: out.len() as u32,
+        pwd: p.as_ptr(),
+        pwdlen: p.len() as u32,
+        salt: s.as_ptr(),
+        saltlen: s.len() as u32,
+        secret: k.as_ptr(),
+        secretlen: k.len() as u32,
+        ad: x.as_ptr(),
+        adlen: x.len() as u32,
+
+        t_cost: passes,
+        m_cost: kib,
+        lanes: lanes,
+        threads: lanes,
+        version: 0x13,
+        allocate_fptr: ptr::null(),
+        deallocate_fptr: ptr::null(),
+        flags: cargon::ARGON2_FLAG_CLEAR_MEMORY,
+    }
+}

data/ext/pasta-bindings/libpasta/examples/alternate_key_source.rs

@@ -0,0 +1,33 @@
+extern crate libpasta;
+extern crate ring;
+
+use libpasta::key;
+use ring::digest;
+
+#[derive(Debug)]
+struct StaticSource(&'static [u8; 16]);
+static STATIC_SOURCE: StaticSource = StaticSource(b"ThisIsAStaticKey");
+
+impl key::Store for StaticSource {
+    /// Insert a new key into the `Store`.
+    fn insert(&self, _key: &[u8]) -> String {
+        "StaticKey".to_string()
+    }
+
+    /// Get a key from the `Store`.
+    fn get_key(&self, _id: &str) -> Option<Vec<u8>> {
+        Some(self.0.to_vec())
+    }
+}
+
+fn main() {
+    let mut config = libpasta::Config::default();
+    config.set_key_source(&STATIC_SOURCE);
+
+    // Construct an HMAC instance and use this as the outer configuration
+    let keyed_function = libpasta::primitives::Hmac::with_key_id(&digest::SHA256, "StaticKey");
+    config.set_keyed_hash(keyed_function);
+
+    let hash = config.hash_password("hunter2");
+    println!("Computed hash: {:?}", hash);
+}

data/ext/pasta-bindings/libpasta/examples/config.rs

@@ -0,0 +1,10 @@
+extern crate libpasta;
+
+use libpasta::primitives::Bcrypt;
+
+fn main() {
+    let config = libpasta::Config::with_primitive(Bcrypt::new(15));
+    let password_hash = config.hash_password("hunter2");
+    println!("The hashed password is: '{}'", password_hash);
+    // Prints bcrypt hash
+}

data/ext/pasta-bindings/libpasta/examples/config_hmac.rs

@@ -0,0 +1,25 @@
+extern crate libpasta;
+extern crate ring;
+
+use ring::digest;
+
+fn main() {
+    // Use scrypt as the default inner hash
+    let hash_primitive = libpasta::primitives::Scrypt::default();
+    let mut config = libpasta::Config::with_primitive(hash_primitive);
+
+    // Some proper way of getting a key
+    let key = b"yellow submarine";
+    let key_id = config.add_key(key);
+    // Construct an HMAC instance and use this as the outer configuration
+    let keyed_function = libpasta::primitives::Hmac::with_key_id(&digest::SHA256, &key_id);
+    config.set_keyed_hash(keyed_function);
+
+    let hash = config.hash_password("hunter2");
+    println!("Computed hash: {:?}", hash);
+    // Outputs:
+    // Computed hash: "$!$hmac$key_id=LNMhDy...,h=SHA256$$scrypt$ln=14,r=8,p=1$ZJ5EY...$grlNA...."
+
+    assert!(hash.starts_with("$!$hmac"));
+    assert!(hash.contains("scrypt"));
+}

data/ext/pasta-bindings/libpasta/examples/hash_password.rs

@@ -0,0 +1,10 @@
+extern crate libpasta;
+
+// We re-export the rpassword crate for CLI password input.
+use libpasta::rpassword::*;
+
+fn main() {
+    let password = prompt_password_stdout("Please enter your password:").unwrap();
+    let password_hash = libpasta::hash_password(&password);
+    println!("The hashed password is: '{}'", password_hash);
+}

data/ext/pasta-bindings/libpasta/examples/migrate_password.rs

@@ -0,0 +1,47 @@
+extern crate libpasta;
+use libpasta::rpassword::*;
+
+#[derive(Debug)]
+struct User {
+    // ...
+    password_hash: String,
+}
+
+fn migrate_users(users: &mut [User]) {
+    // Step 1: Wrap old hash
+    for user in users {
+        libpasta::migrate_hash(&mut user.password_hash);
+    }
+}
+
+fn auth_user(user: &mut User) {
+    // Step 2: Update algorithm during log in
+    let password = prompt_password_stdout("Enter password:").unwrap();
+    if libpasta::verify_password_update_hash(&mut user.password_hash, &password) {
+        println!("Password correct, new hash: \n{}", user.password_hash);
+    } else {
+        println!("Password incorrect, hash unchanged: \n{}",
+                 user.password_hash);
+    }
+}
+
+fn main() {
+    let mut users = vec![User { password_hash: deprected_hash("hunter2") },
+                         User { password_hash: deprected_hash("hunter3") },
+                         User { password_hash: deprected_hash("letmein") },
+                         User { password_hash: deprected_hash("password") }];
+
+    migrate_users(&mut users);
+    println!("Passwords migrated: {:?}", users);
+    auth_user(&mut users[0]);
+}
+
+// Do not use this code as a good example of how to do hashing.
+// This is intentionally awkward
+use libpasta::{hashing, primitives};
+extern crate serde_mcf;
+
+fn deprected_hash(password: &str) -> String {
+    let alg = hashing::Algorithm::Single(primitives::Bcrypt::default());
+    serde_mcf::to_string(&alg.hash(password)).unwrap()
+}

data/ext/pasta-bindings/libpasta/examples/verify_password.rs

@@ -0,0 +1,24 @@
+extern crate libpasta;
+use libpasta::rpassword::*;
+
+struct User {
+    // ...
+    password_hash: String,
+}
+
+fn auth_user(user: &User) {
+    let password = prompt_password_stdout("Enter password:").unwrap();
+    if libpasta::verify_password(&user.password_hash, &password) {
+        println!("The password is correct!");
+        // ~> Handle correct password
+    } else {
+        println!("Incorrect password.");
+        // ~> Handle incorrect password
+    }
+}
+
+
+fn main() {
+    let user = User { password_hash: libpasta::hash_password("hunter2") };
+    auth_user(&user);
+}

data/ext/pasta-bindings/libpasta/libpasta-capi/Cargo.toml

@@ -0,0 +1,12 @@
+[package]
+name = "pasta"
+version = "0.0.5"
+authors = ["Sam Scott <sam.scott89@gmail.com>"]
+
+[dependencies]
+libc = "0.2"
+libpasta = { version = "0.0.5", path = ".." }
+rpassword = "2.0"
+
+[lib]
+crate-type = ["cdylib", "staticlib"]

data/ext/pasta-bindings/libpasta/libpasta-capi/ctest/compile

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -ex
+
+cargo build --manifest-path ../Cargo.toml
+gcc -DDEBUG -o test test.c -ansi -Wall -I../include -L../target/debug -lpasta

data/ext/pasta-bindings/libpasta/libpasta-capi/ctest/test.c

@@ -0,0 +1,12 @@
+#include <assert.h>
+#include <stdio.h>
+#include "pasta.h"
+
+int main(void) {
+    char *hash;
+    hash = hash_password("hello123");
+    assert (verify_password(hash, "hello123"));
+    printf("\x1b[1;32mC test passed\x1b[m\n");
+    free_string(hash);
+    return 0;
+}