Home

Awesome

Jargon2 Backends: Argon2 implementations for the Jargon2 API

Build Status Coverity Scan Build Status Maven metadata URI Quality Gate Security Rating License

This repository aims to be a collection of com.kosprov.jargon2.spi.Jargon2Backend SPI implementations, ready to be plugged into the Jargon2 API. Artifacts contain all service provider metadata and can be used by simply adding them into the runtime classpath.

Security considerations

This section summarizes any security considerations that come with the use of this library. Make sure you evaluate them before choosing to use any of the Jargon2 backends provided here and visit this section regularly for any updates.

ItemDescription
Default backend native library can be bypassedIf you're using the default backend (jargon2-native-ri-backend), the shared library it binds to can be overridden by defining one of -Djna.boot.library.path, -Djna.library.path and -Djna.nosys system properties. See Hardening your environment for more details.

The default backend

Currently, there is only one implementation named jargon2-native-ri-backend that wraps the Argon2 reference implementation. It's unique characteristic is that it binds directly to the low-level API of the C code. This allows for two distinctive features of the high-level Jargon2 API:

Usage

Simply add this dependency:

<dependency>
    <groupId>com.kosprov.jargon2</groupId>
    <artifactId>jargon2-native-ri-backend</artifactId>
    <version>1.1.1</version>
    <scope>runtime</scope>
</dependency>

jargon2-native-ri-backend contains META-INF/services/com.kosprov.jargon2.spi.Jargon2Backend metadata and is automatically discovered by Jargon2's discovery process. No build time dependency is necessary, so it's recommended to keep scope to runtime.

Pre-packaged binaries

To make adopting Jargon2 as easy as possible, jargon2-native-ri-backend has a transitive dependency to jargon2-native-ri-binaries-generic, an artifact that contains binaries of the reference implementation. They are available for Windows, Linux and macOS (x86-64 only), so it should work as-is on most systems.

Release 1.1.1 of jargon2-native-ri-binaries-generic contains binaries built from Argon2 release 20171227.

Using different binaries

There are at least three reasons why one would need to use different binaries than those included in jargon2-native-ri-binaries-generic:

To change the binaries you have two options:

If you're having doubts on which Argon2 binaries are loaded, start the JVM with -Djna.debug_load=true.

Hardening your environment

JNA searches for libraries in locations that can be can be controlled with -Djna.boot.library.path, -Djna.library.path and -Djna.nosys system properties. Keep your security engineers alerted and have them scan or change-detect for improper use of these properties. Make sure they protect them as they would protect JAAS login module or security manager system properties and configuration files. Changing those system properties so that a malicius native library gets loaded, will leak all your user's passwords.

If you are using SELinux, loading the native library from the classpath (as jargon2-native-ri-binaries-generic does) may not work. You would have to install the library in an accessible location. You can also define -Djna.nounpack=true to make sure the library is never unpacked from the classpath.