Add pwhash argon2i

[lmctv]

As suggested by @reaperhulk, I'm early-posting the argon2i bindings I'm working on, to add the needed testing context to the #260 PR and starting to implement #233.

While I think the implementation is reasonably complete, documentation is completely missing.

[codecov-io]

Codecov Report

Merging #261 into master will increase coverage by 0.02%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #261      +/-   ##
==========================================
+ Coverage   99.85%   99.88%   +0.02%     
==========================================
  Files          36       37       +1     
  Lines        1418     1698     +280     
  Branches       69       90      +21     
==========================================
+ Hits         1416     1696     +280     
  Misses          1        1              
  Partials        1        1

Impacted Files	Coverage Δ
src/nacl/bindings/__init__.py	100% <ø> (ø)	⬆️
src/nacl/pwhash.py	100% <100%> (ø)	⬆️
tests/test_pwhash.py	100% <100%> (ø)	⬆️
src/nacl/bindings/crypto_pwhash.py	100% <100%> (ø)	⬆️
tests/test_shorthash.py	100% <0%> (ø)	⬆️
tests/test_generichash.py	100% <0%> (ø)	⬆️
src/nacl/bindings/crypto_box.py	100% <0%> (ø)	⬆️
src/nacl/bindings/crypto_shorthash.py	100% <0%> (ø)	⬆️
src/nacl/hash.py	100% <0%> (ø)	⬆️
... and 4 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 05cedd6...b0edee3. Read the comment docs.

[lmctv]

I don't understand what's happening in jenkin's windows environments, since all of the symbols I'm using seem to be correctly exported, at least from a libsodium's include perspective.

[reaperhulk]

libsodium is precompiled on the windows builder and appears to be out of date. Looks like I need to upgrade it.

[lmctv]

Thank you for letting me know. Those Jenkins errors got me worried!

[reaperhulk]

Jenkins, retest this please

[reaperhulk]

Jenkins, retest this please

[lmctv]

@reaperhulk is jenkin's

_sodium.obj : error LNK2019: unresolved external symbol _crypto_pwhash_argon2i_bytes_max

caused by a too old libsodium library as happened on february?

[lmctv]

@reaperhulk I think this is ready for review now (assuming the windows problem stems from outdated libs)

[reaperhulk]

No doubt. I haven't had a chance to upgrade the windows builders to 1.0.12 yet.

[reaperhulk]

Jenkins, retest this please

[reaperhulk]

Eeeh, jenkins is being a pain but hypothetically libsodium is now upgraded. Rebase/push a commit and we can confirm that.

[reaperhulk]

Looks like there's an issue on 32-bit related to maximum memory limit and I need to do one fix for 64-bit python 2.7 on my end.

[lmctv]

Strange failures:

1. jenkins py27 {w32,w64}:

c:\libsodium-1.0.12-msvc\include\sodium\crypto_hash_sha512.h(12) :
fatal error C1083: Cannot open include file: 'stdint.h': No such file or directory

2. jenkins py3{3,4,5} w32:

nacl.exceptions.ValueError: memlimit must be at most 32768 bytes

Must see what happens with crypto_pwhash_argon2i_MEMLIMIT_MAX on a 32bit linux system.

[reaperhulk]

the 64-bit error should be resolved. I had a missing header.

[lmctv]

Any kind of review would surely help both me, if you find missing or wrong stuff, and the committers in reviewing and eventually approving the PR.

[maqp]

Thoughts on key derivation API

• opslimit and memlimit (and their default values) should probably be explained in the documentation

• Argument for adjusting parallelism seems to be missing from the API

• I'd love to have all different parameters available in the API so that the test vectors could be replicated easily. (This means parameters for secret and associated data would also need to be added (preferably between memlimit and encoder). I understand duplicate tests are not very useful, but it could help users to check that the library is being used correctly.

I found no other major issues in usability. My expertise in reviewing the bindings and implementation are non-existent and IANAC, so proper review is up to others. That being said, thank you for your effort!

[lmctv]

@maqp You are right about the need to at least expose the named opslimit and memlimit constants; will comply as soon as I can.

As for the limited API, we have to live within the limits of what libsodium itself exposes; in this case, the simplified argon2i API documented at

https://download.libsodium.org/doc/password_hashing/the_argon2i_function.html

While preparing this PR, I've even tried to open an issue suggesting to also export the low-level full phc
API, jedisct1/libsodium#488 but the issue has been rejected.

Thank you for your time.

[reaperhulk]

This should say int

[lmctv]

I'm away from my workstation for a couple of days; will add the needed change in a few days.

[reaperhulk]

I may have asked this before, but remind me where these test vectors are from?

[reaperhulk]

Oops, I think #260 is where these test vectors come from actually? I assume you intend to rebase this PR after #260 merges still, is that correct?

[lmctv]

I posted two distict PRs to keep myself honest with the test vectors; but I think this could as well get in all at once.

I've generated the vectors scripting the command line interface from mainline argon2, since the RFC vectors used different sized salts, which are not supported by libsodium; if you think it could be useful, I could add the generator script.

[lmctv]

@reaperhulk I just remembered I've already put the driver script I've used to generate the vectors in #260 online at https://gist.github.com/lmctv/b035a96ca7c867464ab62482dc81555c

To use the script, and generate a set of test vectors, you need a executable
copy of the argon2 cli utility as can be compiled from the sources available at https://github.com/P-H-C/phc-winner-argon2 .

I'm unsure about what is the right place for the gist script in pynacl sources; any suggestions?

[lmctv]

@reaperhulk what about putting the vector generation driver inside the docs?

[reaperhulk]

We do that with cryptography, although we don't currently have a place for it in the docs here. If you want to add a new section in the style we use on the other project that would be good.

[lmctv]

Just took a look at the general structure of the vectors sectoin of cryptography docs; it seems at least a crude version for pynacl is within reach of my writing skills...

[lmctv]

@reaperhulk would you mind taking a look at the present status of #287 ? I think that would be the right place for adding a "how this project is tested" heading and then describe where the test vectors come from, and the instructions/code needed to generate those vectors we didn't find a canonical source for.

[lmctv]

@reaperhulk just a little note on merge strategy: since the single-commit in #260 was not altered in this PR, even if merging separately there should be non need to rebasing #261 after merging #260.

[lmctv]

@reaperhulk P.S. for the separate merge to work, I think #260 must be merged as-is and not rebased on top of current master...

[reaperhulk]

Okay, verified the vectors, looked it over again, and left one comment. It'd also possibly be nice to note that there are some known weaknesses with data-independent memory hard functions that data dependent functions like scrypt (or argon2d) do not suffer from. See: https://www.youtube.com/watch?v=YtfVLzUkwME

Essentially: there is a reasonable argument to be made that argon2i is not actually the PBKDF you should use. It is reasonable to still prefer scrypt.

[reaperhulk]

Small rephrasing:

Contrary to the hashed password storage case where a serialization format is well-defined, in the raw key derivation case the library user must take care to store (and retrieve) both a reference to the kdf used to derive the secret key and all the derivation parameters. These parameters are needed to later generate the same secret key from the password.

[reaperhulk]

here we go 😮

[lmctv]

@reaperhulk thank you very much for your continued help and support.
@maqp thank you very much for your helpful pre-review.