Closed seremenko-wish closed 3 years ago
Thanks so much for the clear report and failing test. I've just pushed commit https://github.com/alexedwards/argon2id/commit/e2135f7c9c7702071aa8c0881f593a3f039e69da which fixes this.
Thanks for fixing it in the article too :) It is in the first position for many google searches related to using Argon2 with Golang, and obviously that this issue leaked to many projects
since this is fixed can this issue be closed?
Test for reproduction
The issue is in base64 decrypt function call here https://github.com/alexedwards/argon2id/blob/master/argon2id.go#L165 and here https://github.com/alexedwards/argon2id/blob/master/argon2id.go#L171. If you don't use strict mode for these calls, you end up successfully matching invalid hashes.
More info:
Solution:
base64.RawStdEncoding.DecodeString
calls should be replaced withbase64.RawStdEncoding.Strict().DecodeString