kozw
commented
3 years ago You are right, those padded \u000s shouldn't be there. And the verify function string length check is invalid.
The use of null-terminated strings in Dart does raise some issues, so here's a backwards incompatible design proposal.
Sodium.cryptoPwhashStrno longer returns a Dart string, but a Uint8List which does include the null terminator if shorter thancrypto_pwhash_STRBYTESSodium.cryptoPwhashStrVerifyno longer accepts a Dart string, but a Uint8List which must include the null terminator if shorter thancrypto_pwhash_STRBYTES
The high-level PasswordHash class will not change and continue to use Dart Strings. Internally it will convert Dart strings to a null terminated Uint8List.
If you want to use the flutter_sodium hashes with other libraries, you should use the core Sodium functions. If you stick with Dart only you can use PasswordHash.
Thoughts?
vishnukvmd
When I call
cryptoPwhashStr, the resulting output seems to always be of length 128 and is returned padded with\u000s.I don't see this behavior documented. All I can find is:
Which makes me wonder if this check is necessary.
This extra padding seems to be breaking counterparts like libsodium.js which rejects calls to
crypto_pwhash_str_verifyfor hashes that are generated from the flutter_sodium library. Everything works fine if I trim out all but the last\u000.Apologies if I've missed something here. If I haven't, it would be great if we could have consistency across the multiple implementations of libsodium.
Thanks again for everything!