sorcery-argon2 1.0.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e7bb1388ca541ca05f53572cc0d55f32c290ee7d5df67756db049a41184c5ac1
-  data.tar.gz: eb9c9c6961628f0d1fab7b8fc9ffe1a40fddeae00e2494c919389a68bdf629f6
+  metadata.gz: 0e4215adcc0a57d9fcc8071040414837e73050e632408e6abc5ee21dd3a23730
+  data.tar.gz: 94f1747cfcde31199ccd8eca3a6b4a8224e6f60b7f20e7480ef30f572a1822fe
 SHA512:
-  metadata.gz: cbedd212398de7f232bb7beee55b824b1b222b59113a69caf235b2eba1af22ca80362b43996f4566c6c294cd95b1eba4116264ac785861bb2efe8446c0d04376
-  data.tar.gz: fe0996121338f875bbb230bd8130322ec64de823ae3d15524950afc8e8f189542fbe76c352c825c78108d7e0d4a8277e2bbc09ec7da702679a51c954f2808309
+  metadata.gz: b6dfb414d7f24c4b710184c8bdcf35490d9ed29decde5090575421fddb88813dc62beac0755a5b2f5f0528e33e82600f7908812e87f8e2e36f9030e365ec5a21
+  data.tar.gz: 985ba0f248274fd28acb7b0e9d62029b8b93eaaf755561e36d358ff0bdb6fe9dfa4e1cbcbbfc6e165b1ac4a90704377d2e94190f525e7cb4087dca4829fe83cb

data/.github/workflows/codeql.yml

@@ -0,0 +1,74 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '34 3 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'ruby' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

data/.github/workflows/ruby.yml

@@ -17,6 +17,8 @@ jobs:
           - 2.6
           - 2.7
           - 3.0
+          - 3.1
+          - 3.2
           - head
 
     runs-on: ${{ matrix.os }}-latest
@@ -31,14 +33,18 @@ jobs:
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
-      - name: Initialize Git Submodules
-        run: git submodule update --init --recursive
       - name: Build Argon2 C library
         run: bin/setup
       - name: Test Argon2 C library
         run: bin/test
       - name: Run tests
         run: bundle exec rake test
+      - name: Coveralls Parallel
+        uses: coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          flag-name: run-${{ matrix.ruby-version }}
+          parallel: true
 
   rubocop:
 
@@ -54,7 +60,6 @@ jobs:
     - name: Run rubocop
       run: bundle exec rake rubocop
 
-# TODO: Add code coverage testing (coveralls)
 # TODO: Add documentation/maintainability testing?
 # TODO: Add dependency testing? (bundle audit)
 
@@ -62,5 +67,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: [ test_matrix, rubocop ]
     steps:
+      - name: Coveralls Finished
+        uses: coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          parallel-finished: true
       - name: Wait for status checks
         run: echo "All Green!"

data/.rubocop.yml

@@ -1,5 +1,9 @@
 Metrics/AbcSize:
-  Max: 20
+  Max: 21
+
+Metrics/ClassLength:
+  Exclude:
+    - 'lib/argon2/password.rb'
 
 Metrics/CyclomaticComplexity:
   Enabled: false
@@ -7,6 +11,11 @@ Metrics/CyclomaticComplexity:
 Metrics/PerceivedComplexity:
   Enabled: false
 
+Metrics/ParameterLists:
+  Max: 5
+  Exclude:
+    - 'lib/argon2/ffi_engine.rb'
+
 Layout/LineLength:
   Max: 160
   Exclude:
@@ -205,4 +214,105 @@ Style/RedundantArgument: # (new in 1.4)
   Enabled: true
 Style/SwapValues: # (new in 1.1)
   Enabled: true
-
+Lint/DeprecatedConstants: # (new in 1.8)
+  Enabled: true
+Lint/LambdaWithoutLiteralBlock: # (new in 1.8)
+  Enabled: true
+Lint/NumberedParameterAssignment: # (new in 1.9)
+  Enabled: true
+Lint/OrAssignmentToConstant: # (new in 1.9)
+  Enabled: true
+Lint/RedundantDirGlobSort: # (new in 1.8)
+  Enabled: true
+Lint/SymbolConversion: # (new in 1.9)
+  Enabled: true
+Lint/TripleQuotes: # (new in 1.9)
+  Enabled: true
+Style/EndlessMethod: # (new in 1.8)
+  Enabled: true
+Style/HashConversion: # (new in 1.10)
+  Enabled: true
+Style/IfWithBooleanLiteralBranches: # (new in 1.9)
+  Enabled: true
+Style/StringChars: # (new in 1.12)
+  Enabled: true
+Gemspec/DeprecatedAttributeAssignment: # new in 1.30
+  Enabled: true
+Gemspec/RequireMFA: # new in 1.23
+  Enabled: true
+Layout/LineContinuationLeadingSpace: # new in 1.31
+  Enabled: true
+Layout/LineContinuationSpacing: # new in 1.31
+  Enabled: true
+Layout/LineEndStringConcatenationIndentation: # new in 1.18
+  Enabled: true
+Lint/AmbiguousOperatorPrecedence: # new in 1.21
+  Enabled: true
+Lint/AmbiguousRange: # new in 1.19
+  Enabled: true
+Lint/ConstantOverwrittenInRescue: # new in 1.31
+  Enabled: true
+Lint/DuplicateMagicComment: # new in 1.37
+  Enabled: true
+Lint/EmptyInPattern: # new in 1.16
+  Enabled: true
+Lint/IncompatibleIoSelectWithFiberScheduler: # new in 1.21
+  Enabled: true
+Lint/NonAtomicFileOperation: # new in 1.31
+  Enabled: true
+Lint/RefinementImportMethods: # new in 1.27
+  Enabled: true
+Lint/RequireRangeParentheses: # new in 1.32
+  Enabled: true
+Lint/RequireRelativeSelfPath: # new in 1.22
+  Enabled: true
+Lint/UselessRuby2Keywords: # new in 1.23
+  Enabled: true
+Naming/BlockForwarding: # new in 1.24
+  Enabled: true
+Security/CompoundHash: # new in 1.28
+  Enabled: true
+Security/IoMethods: # new in 1.22
+  Enabled: true
+Style/EmptyHeredoc: # new in 1.32
+  Enabled: true
+Style/EnvHome: # new in 1.29
+  Enabled: true
+Style/FetchEnvVar: # new in 1.28
+  Enabled: true
+Style/FileRead: # new in 1.24
+  Enabled: true
+Style/FileWrite: # new in 1.24
+  Enabled: true
+Style/InPatternThen: # new in 1.16
+  Enabled: true
+Style/MagicCommentFormat: # new in 1.35
+  Enabled: true
+Style/MapCompactWithConditionalBlock: # new in 1.30
+  Enabled: true
+Style/MapToHash: # new in 1.24
+  Enabled: true
+Style/MultilineInPatternThen: # new in 1.16
+  Enabled: true
+Style/NestedFileDirname: # new in 1.26
+  Enabled: true
+Style/NumberedParameters: # new in 1.22
+  Enabled: true
+Style/NumberedParametersLimit: # new in 1.22
+  Enabled: true
+Style/ObjectThen: # new in 1.28
+  Enabled: true
+Style/OpenStructUse: # new in 1.23
+  Enabled: true
+Style/OperatorMethodCall: # new in 1.37
+  Enabled: true
+Style/QuotedSymbols: # new in 1.16
+  Enabled: true
+Style/RedundantInitialize: # new in 1.27
+  Enabled: true
+Style/RedundantSelfAssignmentBranch: # new in 1.19
+  Enabled: true
+Style/RedundantStringEscape: # new in 1.37
+  Enabled: true
+Style/SelectByRegexp: # new in 1.22
+  Enabled: true

data/CHANGELOG.md

@@ -4,6 +4,14 @@ Historical changelog for all versions.
 
 ## HEAD
 
+## v1.2.0
+
+* Synced with latest upstream changes (technion/ruby-argon2 `v2.2.0`)
+
+## v1.1.0
+
+* Added support for passing parallelism cost to `Argon2::Password.create`
+
 ## v1.0.0
 
 This project has been forked from

data/MAINTAINING.md

@@ -57,9 +57,14 @@ NOTE: `X.Y.Z` and `vX.Y.Z` are given as examples, and should be replaced with
 1. Stage your changes and create a commit
    1. `git add -A`
    1. `git commit -m "Release vX.Y.Z"`
-   1. `git push`
-1. Gem Release
+1. Ensure all tests are passing
+   1. `./bin/setup`
+   1. `./bin/test` (you may need to install clang, e.g. `sudo apt install clang`)
+   1. `rake default`
+1. Build the Gem
    1. `gem build`
+   1. Test installation: `gem install sorcery-argon2-X.Y.Z.gem`
+1. Push the new release
+   1. `git push`
    1. `gem push <filename>`
-1. TODO: Version tagging
    1. Release new version via github interface

data/README.md

@@ -1,20 +1,28 @@
 # Argon2 - Ruby Wrapper
 
-Forked from [technion/ruby-argon2](https://github.com/technion/ruby-argon2) aka
-the `argon2` gem, `v2.0.3`. See below for a migration guide if you would like to
-move an existing application from `argon2` to `sorcery-argon2`.
+A ruby wrapper for the Argon2 password hashing algorithm.
 
-[Why was `argon2` forked?](https://github.com/technion/ruby-argon2/pull/44#issuecomment-816271661)
+*This is an independent project, and not official from the PHC team.*
+
+This gem provides a 1:1 replacement for the `argon2` gem, with various
+improvements. Want to know more about why `argon2` was forked?
+[Read more](#why-fork-argon2)
+
+Wish to upgrade an existing application to use the improved API?
+[Migration guide](#migrating-from-argon2-to-sorcery-argon2)
+
+This fork is kept up-to-date with `argon2`, latest sync: `argon2 - v2.2.0`
 
 ## Table of Contents
 
 1. [Useful Links](#useful-links)
 2. [API Summary](#api-summary)
 3. [Installation](#installation)
-4. [Migrating from `argon2` to `sorcery-argon2`](#migrating-from-argon2-to-sorcery-argon2)
-5. [Contributing](#contributing)
-6. [Contact](#contact)
-7. [License](#license)
+4. [Why fork `argon2`?](#why-fork-argon2)
+5. [Migrating from `argon2` to `sorcery-argon2`](#migrating-from-argon2-to-sorcery-argon2)
+6. [Contributing](#contributing)
+7. [Contact](#contact)
+8. [License](#license)
 
 ## Useful Links
 
@@ -93,13 +101,146 @@ Require Sorcery-Argon2 in your project:
 require 'argon2'
 ```
 
+## Why fork `argon2`?
+
+While implementing Argon2 support in Sorcery v1, I noticed that the current
+ruby wrapper (`argon2` - [technion/ruby-argon2](https://github.com/technion/ruby-argon2))
+had some questionable design decisions, and attempted to address them through a
+pull request. The sole maintainer of the gem rejected these changes summarily,
+without pointing out any specific concerns other than not understanding why the
+changes were necessary. This lead to me ([@joshbuker](https://github.com/joshbuker))
+being directed to create a fork instead:
+[technion/ruby-argon2#44](https://github.com/technion/ruby-argon2/pull/44#issuecomment-816271661)
+
+### Why should I trust this fork?
+
+You shouldn't trust this code more than you trust any other open source project.
+It's written by someone you don't know, and even if there is no malicious
+intent, there is no guarantee that the code is secure. Open source security is
+driven by having the community vett popular libraries, and discovering flaws
+through the sheer number of intelligent community members looking at the code.
+
+That being said, the original library `argon2` also falls under the same
+category. Ultimately, it was also written by a single person and is not
+thoroughly vetted by the community at the time of writing. A community member
+([@joshbuker](https://github.com/joshbuker), in this case) finding flaws in the
+implementation, and the fixes being rejected from upstream, is how this fork
+came into being.
+
+### What are the changes, why are they necessary?
+
+The Argon2::Password interface was, to put it bluntly, poorly executed in the
+original library. The Password class instance was not a representation of an
+Argon2 password as one would expect, but instead an unnecessary abstraction
+layer used to store the settings passed to the underlying Argon2 C Library. This
+not only led to an overly complicated method of generating Argon2 hashes, but
+also meant that the class could not be used to read data back out of an Argon2
+digest.
+
+Originally, to generate an Argon2 hash/digest, one would have to do the
+following:
+
+```ruby
+# Create an instance of the Argon2::Password class to store your options:
+instance = Argon2::Password.new(t_cost: 4, m_cost: 16)
+# Use this instance to generate the hash by calling create:
+instance.create(password)
+    => "$argon2i$v=19$m=65536,t=2,p=1$jL7lLEAjDN+pY2cG1N8D2g$iwj1ueduCvm6B9YVjBSnAHu+6mKzqGmDW745ALR38Uo"
+```
+
+Not only is this abstraction step unnecessary, it opens up a new way for
+developers to make a security mistake. New salts are only generated on the
+creation of a new Argon2::Password instance, meaning if you reuse the instance,
+those passwords will share the same salt.
+
+```ruby
+instance = Argon2::Password.new(t_cost: 4, m_cost: 16)
+# digest1 and digest2 will share the same salt:
+digest1 = instance.create(password1)
+digest2 = instance.create(password2)
+```
+
+Also, because of how the instance of Argon2::Password was designed, it cannot be
+used for reading information back out of an Argon2::Password. This is a summary
+of the original Argon2::Password API:
+
+```ruby
+# Class methods
+Argon2::Password.create(password) # Uses the default options to create a digest
+Argon2::Password.valid_hash?(digest)
+Argon2::Password.verify_password(password, digest, pepper = nil)
+
+# Instance Methods
+argon2 = Argon2::Password.new(options = {}) # Purely for storing options
+argon2.create(password) # Take the options and generate an Argon2 digest
+```
+
+Compare this with `sorcery-argon2`:
+
+```ruby
+# Class methods
+Argon2::Password.create(password, options = {}) # Same as before but accepts passing options
+Argon2::Password.valid_hash?(digest)
+Argon2::Password.verify_password(password, digest, pepper = nil)
+
+# Instance Methods
+argon2 = Argon2::Password.new(digest) # Now represents an Argon2 digest
+argon2 == other_argon2 # Which can be compared with `==` against other Argon2::Password instances
+argon2.matches?(password, pepper = nil) # Or against the original password
+argon2.to_s   # Returns the digest as a String
+argon2.to_str # Also returns the digest as a String
+
+# Argon2::Password Attributes (readonly)
+argon2.digest
+argon2.variant
+argon2.version
+argon2.t_cost
+argon2.m_cost
+argon2.p_cost
+argon2.salt
+argon2.checksum
+```
+
+Another minor issue is that all library errors fall to a single non-descriptive
+class:
+
+```ruby
+Argon2::ArgonHashFail
+```
+
+Compare with `sorcery-argon2`:
+
+```ruby
+Argon2::Error # Replaces `Argon2::ArgonHashFail`
+
+# The following errors all inherit from Argon2::Error, and allow you to catch
+# specifically the error you're interested in:
+Argon2::Errors::InvalidHash
+Argon2::Errors::InvalidVersion
+Argon2::Errors::InvalidCost
+Argon2::Errors::InvalidTCost
+Argon2::Errors::InvalidMCost
+Argon2::Errors::InvalidPCost
+Argon2::Errors::InvalidPassword
+Argon2::Errors::InvalidSaltSize
+Argon2::Errors::InvalidOutputLength
+Argon2::Errors::ExtError
+```
+
+Finally, the original library documentation is not only incomplete, but
+straight up broken/inaccurate in some areas. `sorcery-argon2` has fixed these
+issues, and has 100% documentation of the API.
+
+* [`argon2` Documentation](https://rubydoc.info/gems/argon2)
+* [`sorcery-argon2` Documentation](https://rubydoc.info/gems/sorcery-argon2)
+
 ## Migrating from `argon2` to `sorcery-argon2`
 
 There are two primary changes going from `argon2` to `sorcery-argon2`:
 
 ### The Argon2::Password API has been refactored
 
-**Argon2::Password.new and Argon2::Password.create are now different.**
+*Argon2::Password.new and Argon2::Password.create are now different.*
 
 Argon2::Passwords can now be created without initializing an instance first.
 
@@ -115,11 +256,11 @@ instance.create(input_password)
 Argon2::Password.create(input_password, m_cost: some_m_cost)
 ```
 
-**Argon2::Password.create no longer accept custom salts.**
+*Argon2::Password.create no longer accepts custom salts.*
 
-You should not be providing your own salt to the Argon2 algorithm (it does it
-for you). Previously you could pass an option of `salt_do_not_supply`, which has
-been removed in `sorcery-argon2 - v1.0.0`.
+You should not be providing your own salt to the Argon2 algorithm (this library
+does it for you). Previously you could pass an option of `salt_do_not_supply`,
+which has been removed in `sorcery-argon2 - v1.0.0`.
 
 ### The errors have been restructured
 
@@ -156,7 +297,7 @@ Feel free to ask questions using these contact details:
 
 **Current Maintainers:**
 
-* Josh Buker ([@athix](https://github.com/athix)) | [Email](mailto:crypto+sorcery@joshbuker.com?subject=Sorcery)
+* Josh Buker ([@joshbuker](https://github.com/joshbuker)) | [Email](mailto:crypto+sorcery@joshbuker.com?subject=Sorcery)
 
 ## License
 

data/bin/setup

@@ -4,8 +4,12 @@ set -euo pipefail
 # Internal Field Separator
 IFS=$'\n\t'
 
+# Initialize Git Submodules
+git submodule update --init --recursive
+
 # Build the Argon2 C Library. Git submodules must be initialized first!
 bundle install
 cd ext/argon2_wrap/
+ruby extconf.rb
 make
 cd ../..

data/ext/argon2_wrap/{Makefile → Makefile.real}

@@ -60,6 +60,7 @@ LIB_SH := lib$(LIB_NAME).$(LIB_EXT)
 all: libs 
 libs: $(SRC)
 		$(CC) $(CFLAGS) $(LIB_CFLAGS) $^ -o libargon2_wrap.$(LIB_EXT)
+		cp libargon2_wrap.$(LIB_EXT) ../../lib
 
 #Deliberately avoiding the CFLAGS for our test cases - disable optimise and
 #C89

data/ext/argon2_wrap/extconf.rb

@@ -1,2 +1,5 @@
 # frozen_string_literal: true
-#I must admit I have no understanding of why this empty file works.
+
+require 'mkmf'
+
+File.rename('Makefile.real', 'Makefile')

data/ext/phc-winner-argon2/.git

@@ -0,0 +1 @@
+gitdir: ../../.git/modules/ext/phc-winner-argon2

data/ext/phc-winner-argon2/.gitattributes

@@ -0,0 +1,10 @@
+# Export ignore
+.gitattributes export-ignore
+.gitignore export-ignore
+.travis.yml export-ignore
+appveyor.yml export-ignore
+export.sh export-ignore
+latex/* export-ignore
+
+# Linguist documentation
+latex/* linguist-documentation

data/ext/phc-winner-argon2/.gitignore

@@ -0,0 +1,22 @@
+argon2
+libargon2.a
+libargon2.so*
+libargon2.dylib
+libargon2.pc
+.DS_Store
+src/*.o
+src/blake2/*.o
+genkat
+.idea
+*.pyc
+testcase
+*.gcda
+*.gcno
+*.gcov
+bench
+vs2015/build
+Argon2.sdf
+Argon2.VC.opendb
+*.zip
+*.tar.gz
+tags

data/ext/phc-winner-argon2/.travis.yml

@@ -0,0 +1,25 @@
+language: c
+
+compiler:
+  - clang
+  - gcc
+
+os:
+  - linux
+  - osx
+
+# Clang on Linux needs to run in a VM to use ASAN.
+# See: https://github.com/travis-ci/travis-ci/issues/9033
+matrix:
+  exclude:
+    - compiler: clang
+      os: linux
+  include:
+    - compiler: clang
+      os: linux
+      sudo: true
+
+script: make && make testci
+
+after_success:
+  - bash <(curl -s https://codecov.io/bash)