Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
argon2-cffi-bindings
Advanced tools
argon2-cffi-bindings provides low-level CFFI bindings to the Argon2 password hashing algorithm including a vendored version of them.
The currently vendored Argon2 commit ID is f57e61e
.
If you want to hash passwords in an application, this package is not for you. Have a look at argon2-cffi with its high-level abstractions!
These bindings have been extracted from argon2-cffi and it remains its main consumer. However, they may be used by other packages that want to use the Argon2 library without dealing with C-related complexities.
argon2-cffi-bindings is available from PyPI. The provided CFFI bindings are compiled in API mode.
Best effort is given to provide binary wheels for as many platforms as possible.
A copy of Argon2 is vendored and used by default, but can be disabled if argon2-cffi-bindings is installed using:
$ env ARGON2_CFFI_USE_SYSTEM=1 \
python -m pip install --no-binary=argon2-cffi-bindings argon2-cffi-bindings
Usually the build process tries to guess whether or not it should use SSE2-optimized code (see _ffi_build.py
for details).
This can go wrong and is problematic for cross-compiling.
Therefore you can use the ARGON2_CFFI_USE_SSE2
environment variable to control the process:
1
, argon2-cffi-bindings will build with SSE2 support.0
, argon2-cffi-bindings will build without SSE2 support.However, if our heuristics fail you, we would welcome a bug report.
Since this package is intended to be an implementation detail, it uses a private module name to prevent your users from using it by accident.
Therefore you have to import the symbols from _argon2_cffi_bindings
:
from _argon2_cffi_bindings import ffi, lib
Please refer to cffi documentation on how to use the ffi
and lib
objects.
The list of symbols that are provided can be found in the _ffi_build.py
file.
argon2-cffi-bindings is available under the MIT license, available from PyPI, the source code and documentation can be found on GitHub.
argon2-cffi-bindings targets Python 3.6 and later, including PyPy3.
argon2-cffi-bindings is written and maintained by Hynek Schlawack. It is released under the MIT license.
The development is kindly supported by Variomedia AG.
The authors of Argon2 were very helpful to get the library to compile on ancient versions of Visual Studio for ancient versions of Python.
The documentation quotes frequently in verbatim from the Argon2 paper to avoid mistakes by rephrasing.
The original Argon2 repo can be found at https://github.com/P-H-C/phc-winner-argon2/.
Except for the components listed below, the Argon2 code in this repository is copyright (c) 2015 Daniel Dinu, Dmitry Khovratovich (main authors), Jean-Philippe Aumasson and Samuel Neves, and under CC0 license.
The string encoding routines in src/encoding.c are copyright (c) 2015 Thomas Pornin, and under CC0 license.
The BLAKE2 code in src/blake2/
is copyright (c) Samuel Neves, 2013-2015, and under CC0 license.
FAQs
Low-level CFFI bindings for Argon2
We found that argon2-cffi-bindings demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.