No way to verify Argon2 1.0 hashes

[lluchs]

In the C library, argon2_verify automatically detects the hash version and thus allows verifying older hashes. On the other hand, ruby-argon2 always sets the version to 1.3, making newer versions of the library useless if you have a database with older hashes.

As Ruby doesn't allow loading multiple versions of a gem simultaneously, there is currently no way to migrate to the current version of ruby-argon2.

[technion]

Unfortunately, you're referring to verifying pre-1.0-gem-release hashes, compatibility with these never having been something that came up before. It also goes back to before the reference C library had a close to stable API (it's still not great).

I'm not adverse to coding this but it'll take some time - and I'm not currently aware of any project having put Argon2 into production (with or without this gem) in its early, beta release state. It's been over a year since I tagged the 1.0 Gem. I spent a half hour searching Gemfiles on GitHub and cannot find anyone using an earlier version that would be affected by this.

Can you provide some more information around what you are doing that leads to this being an issue that cannot be worked around?

[lluchs]

Thanks for the quick reply. I built a simple application with the 0.1.0 version of this gem and was trying to upgrade the application to the current version now. "Production" in my case is just a small hobby site with around 60 users and very low security requirements (for the current site, a shared password for all users would do the job as well).

In any case, I now have a database with ~60 password hashes the current gem cannot verify.

I spent a half hour searching Gemfiles on GitHub and cannot find anyone using an earlier version that would be affected by this.

I found one other project ;)

But sure, it's likely that there are very few people with this problem. I suspect I can just add an FFI function for argon2i_verify from the C library myself and verify the old hashes with that (I didn't use a secret).

Feel free to close the issue if you think it's too much work for little gain.

[technion]

Hi,

Thanks for the confirmation. I don't want anyone left out so I will work on this issue.

[technion]

Hi,

I've found that with a fairly thin wrapper, I could address this easier than I thought. However, there is a catch.

Version 1.0 of this gem followed the process of the reference library at the time - which is to assume that a hash missing a version tag was using the latest hash. This is discussed in the README, along with the version tag that came later and made things a bit more sensible.

In order to not introduce yet another breaking behaviour, I've kept things as they are. Therefore to validate an existing hash using the legacy hash version, you will need have them include the version number. See the test suite here:

https://github.com/technion/ruby-argon2/blob/master/test/legacy.rb#L7

You should be able to insert that $v=13 into your database with a fairly easy regex so that it recognises old hashes accordingly.

I apologise for that mess, but as I've said on other issues, the mainline library has been a moving target which has introduced a number of complexities.

I'll tag a new release at some point, but if you wouldn't mind testing out and confirming with the git master it would be appreciated.

[lluchs]

Thanks a lot, I can confirm that my hashes indeed verify after adding $v=16 (not 13).

[technion]

Thanks for this confirmation, I've tagged a release with this fix.