[PATCH] Add argon2.

[PATCH] Add argon2.

[Lukas Gradl]

[-- Attachment #1: Type: text/plain, Size: 541 bytes --]


Hello Guix,

Attached is a patch to add the password hashing library Argon2.  It is a
dependency for opendht.

The source tree contains the directory "blake2".  At first I thought
this is a bundled version of blake2, but it seems that this is a
seperate implementation.  The sources bundled with Argon2 are
significantly different from the ones at
https://github.com/BLAKE2/BLAKE2.
My conclusion is that this is a Blake2 implementation made by and for
Argon2.  Thus I did not unbundle it.  Do you agree with this?

Thank you!
Best,
Lukas



[-- Attachment #2: 0001-gnu-Add-argon2.patch --]
[-- Type: text/x-patch, Size: 2476 bytes --]

From ba263b4a49d1acf83e4e42d1e9e0d51572268928 Mon Sep 17 00:00:00 2001
From: Lukas Gradl <lgradl@openmailbox.org>
Date: Sun, 5 Jun 2016 15:35:24 -0500
Subject: [PATCH] gnu: Add argon2.

* gnu/packages/password-utils.scm (argon2): New variable.
---
 gnu/packages/password-utils.scm | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index 30ed130..1579821 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org>
 ;;; Copyright © 2016 Jessica Tallon <tsyesika@tsyesika.se>
 ;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2016 Lukas Gradl <lgradl@openmailbox.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -295,3 +296,39 @@ Synchronization is possible using the integrated git support, which commits
 changes to your password database to a git repository that can be managed
 through the pass command.")
     (license license:gpl2+)))
+
+(define-public argon2
+  (package
+    (name "argon2")
+    (version "20160406")
+    (source
+     (origin
+       (method url-fetch)
+       (uri
+        (string-append
+         "https://codeload.github.com/P-H-C/phc-winner-"
+         name "/tar.gz/" version))
+       (file-name (string-append name "-" version ".tar.gz"))
+       (sha256
+        (base32
+         "0g6wa94sh639xl1qc8z21q43r1mp8y77r1zf8nwx5pfsxd8fmyzv"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:test-target "test"
+       #:make-flags '("CC=gcc")
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (replace 'install
+           (lambda _
+             (let ((out (assoc-ref %outputs "out")))
+               (install-file "argon2" (string-append out "/bin"))
+               (install-file "libargon2.a" (string-append out "/lib"))
+               (install-file "libargon2.so" (string-append out "/lib"))
+               (copy-recursively "include"
+                                 (string-append out "/include"))))))))
+    (home-page "https://www.argon2.com/")
+    (synopsis "Password hashing library")
+    (description "Argon2 provides a key derivation function that was declared
+winner of the 2015 Password Hashing Competition.")
+    (license license:cc0)))
-- 
2.7.4

Re: [PATCH] Add argon2.

[Leo Famulari]

On Sun, Jun 05, 2016 at 03:46:00PM -0500, Lukas Gradl wrote:
> 
> Hello Guix,
> 
> Attached is a patch to add the password hashing library Argon2.  It is a
> dependency for opendht.

Thanks :)

> The source tree contains the directory "blake2".  At first I thought
> this is a bundled version of blake2, but it seems that this is a
> seperate implementation.  The sources bundled with Argon2 are
> significantly different from the ones at
> https://github.com/BLAKE2/BLAKE2.
> My conclusion is that this is a Blake2 implementation made by and for
> Argon2.  Thus I did not unbundle it.  Do you agree with this?

My understanding from reading about blake2 and argon2 (not reading the
code) is that blake2 is a cryptographic hash function [0], and that
argon2 is a key derivation function [1] that uses blake2 for hashing.

When I see bundled crypto libraries, my questions are, "What's the
difference between the bundled library and the upstream code?" and "Will
they update the bundled library in a timely fashion?"

In this case, the argon2 README.md credits the blake2 code to Samuel
Neves, who is one of the designers of blake2. So, I will look into this
a little more closely to see if he reimplemented it for argon2 or if
they copied it from somewhere else.

The patch looks good to me aside from this question.

[0]
https://blake2.net/
https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29

[1]
https://en.wikipedia.org/wiki/Argon2
https://www.argon2.com/
https://password-hashing.net/submissions/specs/Argon-v3.pdf

Re: [PATCH] Add argon2.

[Leo Famulari]

On Sun, Jun 05, 2016 at 05:39:08PM -0400, Leo Famulari wrote:
> In this case, the argon2 README.md credits the blake2 code to Samuel
> Neves, who is one of the designers of blake2. So, I will look into this
> a little more closely to see if he reimplemented it for argon2 or if
> they copied it from somewhere else.

Argon2's commit history shows that Samuel Neves is a frequent
contributor to argon2, including the blake2 code. So, I think this
package is fine.

Re: [PATCH] Add argon2.

[Leo Famulari]

On Sun, Jun 05, 2016 at 11:42:42PM -0400, Leo Famulari wrote:
> On Sun, Jun 05, 2016 at 05:39:08PM -0400, Leo Famulari wrote:
> > In this case, the argon2 README.md credits the blake2 code to Samuel
> > Neves, who is one of the designers of blake2. So, I will look into this
> > a little more closely to see if he reimplemented it for argon2 or if
> > they copied it from somewhere else.
> 
> Argon2's commit history shows that Samuel Neves is a frequent
> contributor to argon2, including the blake2 code. So, I think this
> package is fine.

Pushed as 6d32dd8cef. Thanks!