hash_encoded produces encodings that can't be verified

[ocharles]

hash_encoded is validating input against #DEFINEs in argon2.h. However, decode_string is using its own validation which is different from these defines. For example, I can generate this hash: $argon2i$m=20000,t=1,p=475$QW4gKOKIniwx... - but I can't decode it because p=475, but decode_string checks:

    /*
     * The parallelism p must be between 1 and 255. The memory cost
     * parameter, expressed in kilobytes, must be at least 8 times
     * the value of p.
     */
    if (ctx->lanes < 1 || ctx->lanes > 255) {
        return 0;
    }

I imagine there are more problems in decode_string that just the p parameter.

[jedisct1]

Maybe just reuse validate_inputs() as in https://github.com/jedisct1/libsodium/commit/08d3b8a19ca0caa796c3bd508aa24a7cb4e92b3a ?

[khovratovich]

Currently the verification procedure is more aggressive in parameters than the encoding one. The verification rejects all the strings where salts and outputs are too short or too long. The exact restrictions are specified in the description of argon2i_verify() in argon2.h.

For more permissive processing you can change the respective constants (ARGON2_MAX/MIN_DECODED_SALT/AD/OUT_LEN) or call decode_string() explicitly as argon2_verify() does.

We may consider increasing these constants if it is really needed.