line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Crypt::Passphrase::Argon2::Encrypted; |
2
|
|
|
|
|
|
|
$Crypt::Passphrase::Argon2::Encrypted::VERSION = '0.008'; |
3
|
1
|
|
|
1
|
|
69310
|
use strict; |
|
1
|
|
|
|
|
12
|
|
|
1
|
|
|
|
|
27
|
|
4
|
1
|
|
|
1
|
|
6
|
use warnings; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
46
|
|
5
|
|
|
|
|
|
|
|
6
|
1
|
|
|
1
|
|
452
|
use Crypt::Passphrase 0.010 -encoder; |
|
1
|
|
|
|
|
14775
|
|
|
1
|
|
|
|
|
6
|
|
7
|
1
|
|
|
1
|
|
7661
|
use Crypt::Passphrase::Argon2; |
|
1
|
|
|
|
|
3
|
|
|
1
|
|
|
|
|
34
|
|
8
|
|
|
|
|
|
|
|
9
|
1
|
|
|
1
|
|
7
|
use Carp 'croak'; |
|
1
|
|
|
|
|
3
|
|
|
1
|
|
|
|
|
51
|
|
10
|
1
|
|
|
1
|
|
6
|
use Crypt::Argon2 0.017 qw/argon2_raw argon2_verify argon2_types/; |
|
1
|
|
|
|
|
17
|
|
|
1
|
|
|
|
|
49
|
|
11
|
1
|
|
|
1
|
|
446
|
use MIME::Base64 qw/encode_base64 decode_base64/; |
|
1
|
|
|
|
|
604
|
|
|
1
|
|
|
|
|
1091
|
|
12
|
|
|
|
|
|
|
|
13
|
|
|
|
|
|
|
my %multiplier = ( |
14
|
|
|
|
|
|
|
k => 1024, |
15
|
|
|
|
|
|
|
M => 1024 * 1024, |
16
|
|
|
|
|
|
|
G => 1024 * 1024 * 1024, |
17
|
|
|
|
|
|
|
); |
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
sub new { |
20
|
2
|
|
|
2
|
1
|
128
|
my ($class, %args) = @_; |
21
|
2
|
|
50
|
|
|
17
|
$args{output_size} //= 32; |
22
|
2
|
|
|
|
|
14
|
my $self = bless Crypt::Passphrase::Argon2::_settings_for(%args), $class; |
23
|
2
|
|
|
|
|
29
|
$self->{memory_cost} =~ s/ \A (\d+) ([kMG]) \z / $1 * $multiplier{$2} /xe; |
|
2
|
|
|
|
|
17
|
|
24
|
2
|
|
|
|
|
6
|
$self->{cipher} = $args{cipher}; |
25
|
2
|
|
|
|
|
8
|
$self->{active} = $args{active}; |
26
|
2
|
|
|
|
|
9
|
return $self; |
27
|
|
|
|
|
|
|
} |
28
|
|
|
|
|
|
|
|
29
|
|
|
|
|
|
|
my $format = '$%s-encrypted$v=1,cipher=%s,id=%s$v=19$m=%d,t=%d,p=%d$%s$%s'; |
30
|
|
|
|
|
|
|
|
31
|
|
|
|
|
|
|
sub _pack_hash { |
32
|
7
|
|
|
7
|
|
40
|
my ($subtype, $cipher, $id, $m_cost, $t_cost, $parallel, $salt, $hash) = @_; |
33
|
7
|
|
|
|
|
62
|
my $encoded_salt = encode_base64($salt, '') =~ tr/=//dr; |
34
|
7
|
|
|
|
|
29
|
my $encoded_hash = encode_base64($hash, '') =~ tr/=//dr; |
35
|
7
|
|
|
|
|
109
|
return sprintf $format, $subtype, $cipher, $id, $m_cost / 1024, $t_cost, $parallel, $encoded_salt, $encoded_hash; |
36
|
|
|
|
|
|
|
} |
37
|
|
|
|
|
|
|
|
38
|
|
|
|
|
|
|
my $regex = qr/ ^ \$ ($Crypt::Argon2::type_regex)-encrypted \$ v=1, cipher=([^\$,]+) , id=([^\$,]+) \$ v=(\d+) \$ m=(\d+), t=(\d+), p=(\d+) \$ ([^\$]+) \$ (.*) $ /x; |
39
|
|
|
|
|
|
|
|
40
|
|
|
|
|
|
|
sub _unpack_hash { |
41
|
12
|
|
|
12
|
|
31
|
my ($pwhash) = @_; |
42
|
12
|
100
|
|
|
|
386
|
my ($subtype, $alg, $id, $version, $m_cost, $t_cost, $parallel, $encoded_salt, $encoded_hash) = $pwhash =~ $regex or return; |
43
|
9
|
|
|
|
|
52
|
my $salt = decode_base64($encoded_salt); |
44
|
9
|
|
|
|
|
27
|
my $hash = decode_base64($encoded_hash); |
45
|
9
|
|
|
|
|
87
|
return ($subtype, $alg, $id, $version, $m_cost * 1024, $t_cost, $parallel, $salt, $hash); |
46
|
|
|
|
|
|
|
} |
47
|
|
|
|
|
|
|
|
48
|
|
|
|
|
|
|
my $unencrypted_regex = qr/ ^ \$ ($Crypt::Argon2::type_regex) \$ v=(\d+) \$ m=(\d+), t=(\d+), p=(\d+) \$ ([^\$]+) \$ (.*) $ /x; |
49
|
|
|
|
|
|
|
sub recrypt_hash { |
50
|
2
|
|
|
2
|
1
|
10
|
my ($self, $input, $to) = @_; |
51
|
2
|
|
33
|
|
|
20
|
$to //= $self->{active}; |
52
|
2
|
100
|
|
|
|
6
|
if (my ($subtype, $alg, $id, $version, $m_cost, $t_cost, $parallel, $salt, $hash) = _unpack_hash($input)) { |
|
|
50
|
|
|
|
|
|
53
|
1
|
50
|
33
|
|
|
8
|
return $input if $id eq $to and $alg eq $self->{cipher}; |
54
|
1
|
|
|
|
|
5
|
my $decrypted = $self->decrypt_hash($alg, $id, $salt, $hash); |
55
|
1
|
|
|
|
|
81
|
my $encrypted = $self->encrypt_hash($self->{cipher}, $to, $salt, $decrypted); |
56
|
1
|
|
|
|
|
78
|
return _pack_hash($subtype, $self->{cipher}, $to, $m_cost, $t_cost, $parallel, $salt, $encrypted); |
57
|
|
|
|
|
|
|
} |
58
|
|
|
|
|
|
|
elsif (($subtype, $version, $m_cost, $t_cost, $parallel, my $encoded_salt, my $encoded_hash) = $input =~ $unencrypted_regex) { |
59
|
1
|
|
|
|
|
8
|
my $salt = decode_base64($encoded_salt); |
60
|
1
|
|
|
|
|
3
|
my $hash = decode_base64($encoded_hash); |
61
|
1
|
|
|
|
|
9
|
my $encrypted = $self->encrypt_hash($self->{cipher}, $to, $salt, $hash); |
62
|
1
|
|
|
|
|
73
|
return _pack_hash($subtype, $self->{cipher}, $to, $m_cost * 1024, $t_cost, $parallel, $salt, $encrypted); |
63
|
|
|
|
|
|
|
} |
64
|
|
|
|
|
|
|
else { |
65
|
0
|
|
|
|
|
0
|
return $input; |
66
|
|
|
|
|
|
|
} |
67
|
|
|
|
|
|
|
} |
68
|
|
|
|
|
|
|
|
69
|
|
|
|
|
|
|
sub hash_password { |
70
|
1
|
|
|
1
|
1
|
14
|
my ($self, $password) = @_; |
71
|
|
|
|
|
|
|
|
72
|
1
|
|
|
|
|
10
|
my $salt = $self->random_bytes($self->{salt_size}); |
73
|
1
|
|
|
|
|
10447
|
my $raw = argon2_raw($self->{subtype}, $password, $salt, @{$self}{qw/time_cost memory_cost parallelism output_size/}); |
|
1
|
|
|
|
|
275684
|
|
74
|
1
|
|
|
|
|
29
|
my $encrypted = $self->encrypt_hash($self->{cipher}, $self->{active}, $salt, $raw); |
75
|
|
|
|
|
|
|
|
76
|
1
|
|
|
|
|
92
|
return _pack_hash(@{$self}{qw/subtype cipher active memory_cost time_cost parallelism/}, $salt, $encrypted); |
|
1
|
|
|
|
|
10
|
|
77
|
|
|
|
|
|
|
} |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
sub needs_rehash { |
80
|
5
|
|
|
5
|
1
|
2484
|
my ($self, $pwhash) = @_; |
81
|
5
|
100
|
|
|
|
25
|
my ($subtype, $alg, $id, $version, $m_cost, $t_cost, $parallel, $salt, $hash) = _unpack_hash($pwhash) or return 1; |
82
|
4
|
100
|
|
|
|
18
|
return 1 if $pwhash ne _pack_hash(@{$self}{qw/subtype cipher active memory_cost time_cost parallelism/}, $salt, $hash); |
|
4
|
|
|
|
|
24
|
|
83
|
3
|
|
33
|
|
|
39
|
return length $salt != $self->{salt_size} || length $hash != $self->{output_size}; |
84
|
|
|
|
|
|
|
} |
85
|
|
|
|
|
|
|
|
86
|
|
|
|
|
|
|
sub crypt_subtypes { |
87
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
88
|
0
|
|
|
|
|
0
|
return map { ("$_-encrypted", $_) } argon2_types; |
|
0
|
|
|
|
|
0
|
|
89
|
|
|
|
|
|
|
} |
90
|
|
|
|
|
|
|
|
91
|
|
|
|
|
|
|
sub verify_password { |
92
|
5
|
|
|
5
|
1
|
57
|
my ($self, $password, $pwhash) = @_; |
93
|
5
|
100
|
|
|
|
16
|
if (my ($subtype, $alg, $id, $version, $m_got, $t_got, $parallel_got, $salt, $hash) = _unpack_hash($pwhash)) { |
|
|
50
|
|
|
|
|
|
94
|
4
|
50
|
|
|
|
10
|
my $raw = eval { argon2_raw($subtype, $password, $salt, $t_got, $m_got, $parallel_got, length $hash) } or return !!0; |
|
4
|
|
|
|
|
1113302
|
|
95
|
4
|
50
|
|
|
|
39
|
my $decrypted = eval { $self->decrypt_hash($alg, $id, $salt, $hash) } or return !!0; |
|
4
|
|
|
|
|
57
|
|
96
|
|
|
|
|
|
|
|
97
|
4
|
|
|
|
|
485
|
return $self->secure_compare($decrypted, $raw); |
98
|
|
|
|
|
|
|
} |
99
|
|
|
|
|
|
|
elsif ($pwhash =~ $unencrypted_regex) { |
100
|
1
|
|
|
|
|
267317
|
return argon2_verify($pwhash, $password); |
101
|
|
|
|
|
|
|
} |
102
|
|
|
|
|
|
|
} |
103
|
|
|
|
|
|
|
|
104
|
|
|
|
|
|
|
#ABSTRACT: A base-class for encrypting/peppered Argon2 encoders for Crypt::Passphrase |
105
|
|
|
|
|
|
|
|
106
|
|
|
|
|
|
|
__END__ |