eznacl 2.1.1

A wrapper around NaCl which makes working with cryptography even easier
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

use argon2::{self, Config, ThreadMode, Variant, Version};
use rand::Rng;

/// The HashStrength type specifies how strong of a password hash is requested. Despite the term
/// 'Basic', it provides the recommended 1 second processing time on a 4th-generation Intel i5 and
/// an acceptable processing time on computers with less or more processor power. The other levels
/// increase the memory cost, increasing processing time without undue strain on weaker hardware.
pub enum HashStrength {
	Basic,
	Extra,
	Secret,
	Extreme
}

/// hash_password is a simple function to turn a string into a 256-bit Argon2 password hash. If you
/// don't want to bother fine-tuning your Argon2id parameters and just want something simple and
/// secure for day-to-day use, use this.
pub fn hash_password(password: &str, strength: HashStrength) -> String {
	let mem = match strength {
		HashStrength::Basic => 0x100_000,	// 1MiB
		HashStrength::Extra => 0x200_000,	// 2MiB
		HashStrength::Secret => 0x400_000,	// 4Mib
		HashStrength::Extreme => 0x800_000	// 8MiB
	};

	let config = Config {
		variant: Variant::Argon2id,
		version: Version::Version13,
		mem_cost: mem,
		time_cost: 1,
		thread_mode: ThreadMode::Parallel,
		lanes: 2,
		secret: &[],
		ad: &[],
		hash_length: 32
	};
	
	let salt = rand::thread_rng().gen::<[u8; 16]>();
	let hash = argon2::hash_encoded(password.as_bytes(), &salt, &config).unwrap();
	hash
}

/// hash_password_enhanced() provides greater control over the password hashing process. Generally
/// speaking, threads should be double your available CPU cores. Dial in the memory cost to roughly
/// achieve your computation time and then adjust the time cost from there.
pub fn hash_password_enhanced(password: &str, memcost: u32, timecost: u32, threads: u32) -> String {
	let config = Config {
		variant: Variant::Argon2id,
		version: Version::Version13,
		mem_cost: memcost,
		time_cost: timecost,
		thread_mode: ThreadMode::Parallel,
		lanes: threads,
		secret: &[],
		ad: &[],
		hash_length: 32
	};
	
	let salt = rand::thread_rng().gen::<[u8; 16]>();
	let hash = argon2::hash_encoded(password.as_bytes(), &salt, &config).unwrap();
	hash
}

/// Returns a true if the given password matches the given hash
pub fn check_password(password: &str, hash: &str) -> Result<bool, argon2::Error> {
	argon2::verify_encoded(&hash, password.as_bytes())
}

#[cfg(test)]
mod tests {
	#[test]
	fn pw_check_hash() {
		let password = "MyS3cretPassw*rd";
		let pwhash = crate::hash_password(password, crate::HashStrength::Basic);
		
		match crate::check_password(password, &pwhash) {
			Ok(v) => assert!(v),
			Err(e) => panic!("{}",e)
		}
		
		// Here we actually tune the password hashing algorithm to be *less* secure, not more, just
		// to make the test run faster 🤪
		let pwhash = crate::hash_password_enhanced(password, 65536, 1, 4);
		match crate::check_password(password, &pwhash) {
			Ok(v) => assert!(v),
			Err(e) => panic!("{}", e)
		}
	}
}