Closed JKearnsl closed 3 months ago
There are two interfaces to Argon2, as outlined in the documentation:
https://docs.rs/argon2/latest/argon2/#usage
password-hash
crate. It's intended for typical password hashing applications which serialize the hash to a string in what's known as the PHC string format. It imposes additional constraints beyond what the Argon2 API is capable of.And in general, it’s strange that the Argon2 structure, in addition to this, also has hashing methods for some reason that contain “password” in the name, and your implementation can hash not passwords?
I assume your confusion here arises from the dual nature of the Argon2 API, but regardless, in either case the input is a password, and I don't have the faintest understanding what may have lead you to a conclusion like "your implementation can hash not passwords", as in all cases the inputs to Argon2 are intended to be passwords.
I want to hash sessions/strings/whatever this is a weird interface and behavior!
Argon2 is a password hashing algorithm / password-based KDF. It is not intended for applications which don't use a password as at least one of the inputs.
If you are just trying to derive a key from a number of inputs, one of which is a secret high-entropy string but not a "password", consider HKDF instead.
Hello!
I recently started using your crate Argon2 but noticed strange behavior.
When initializing the Argon2 structure, I can set the output length to 0xFFFFFFFF or 4294967295 in digit. The code explicitly specifies a constant and checks:
https://github.com/RustCrypto/password-hashes/blob/0715e565f391b74d4de0948585e1a2636d12ee9f/argon2/src/params.rs#L80-L83
https://github.com/RustCrypto/password-hashes/blob/0715e565f391b74d4de0948585e1a2636d12ee9f/argon2/src/params.rs#L137-L145
Because of this, the initialization of the structure occurs successfully and everything is logical!
But during hashing, the
hash_password
function calls the methodinit_with
https://github.com/RustCrypto/password-hashes/blob/0715e565f391b74d4de0948585e1a2636d12ee9f/argon2/src/lib.rs#L585-L589
The implementation of which is located in another crate. And here other checks take place for a different length of a maximum of 64 characters and a minimum of 10.
https://github.com/RustCrypto/traits/blob/b1f6b1d37ac332b881b41e44f293f6662c98f25f/password-hash/src/output.rs#L147-L173
It is very strange. And in general, it’s strange that the Argon2 structure, in addition to this, also has hashing methods for some reason that contain “password” in the name, and your implementation can hash not passwords? I want to hash sessions/strings/whatever this is a weird interface and behavior!