technion / ruby-argon2 / 6034920343

99%

push

github

Make default costs RFC 9106's second preferred option; introduce named cost profiles (#62)

* Make default costs RFC 9106's second preferred option

RFC 9106 is the formal standard for describing Argon2. It also gives the official recommended cost parameters that should be sufficient for all environments. This commit introduces the concept of named profiles for a set of cost parameters/values and changes the default costs to `:rfc_9106_low_memory`, the second preferred option in the RFC. The RFC's first choice can be quite computationally expensive and, mirroring Python's `argon2-cffi`, we leave that as an opt-in choice.

A developer can use one of the named profiles, or continue to hand specify costs:

```ruby
hasher = Argon2::Password.new(profile: :rfc_9106_high_memory)
hasher.create("password")
    => "$argon2id$v=19$m=2097152,t=1,p=4$LvHa74Yax7uCWPN7P6/oQQ$V1dMt4dfuYSmLpwUTpKUzg+RrXjWzWHlE6NLowBzsAg"

hasher = Argon2::Password.new(t_cost: 2, m_cost: 16, p_cost: 1)
hasher.create("password")
    => "$argon2i$v=19$m=65536,t=2,p=1$jL7lLEAjDN+pY2cG1N8D2g$iwj1ueduCvm6B9YVjBSnAHu+6mKzqGmDW745ALR38Uo"
```

The list of named cost profiles are:

* `:rfc_9106_high_memory`: the first recommended option but is expensive
* `:rfc_9106_low_memory`: the second recommended option (default)
* `:pre_rfc_9106`: the previous default costs for `ruby-argon2` <= v2.2.0, before offering RFC 9106 named profiles
* `:unsafe_cheapest`: Strictly for testing, the minimum costs allowed by Argon2 for the fastest hashing speed

A developer can see the list of profiles with `Argon2::Profiles.to_a` and the actual cost values with `.to_h` or `[name]`. As guidance changes over time (OWASP has its own recommended values), the list of profiles may expand or even change their values.

* Satisfy rubocop

39 of 41 new or added lines in 3 files covered. (95.12%)

302 of 304 relevant lines covered (99.34%)

178.24 hits per line