search

jedisct1 / libsodium.js

libsodium compiled to Webassembly and pure JavaScript, with convenient wrappers.
Other
968 stars 138 forks source link

invalid salt length #331

Closed vault-thirteen closed 9 months ago

vault-thirteen commented 9 months ago 
let salt = getSalt(); // Uint8Array of size 1024.
let pwd = getPwd(); // A short string.
let argon2KeySize = 1024;
let argon2Iterations = 1;
let argon2Mem = 64 * 1024;
let alg = sodium.crypto_pwhash_ALG_ARGON2ID13;
let key = sodium.crypto_pwhash(argon2KeySize, pwd, salt, argon2Iterations, argon2Mem, alg);

result is:

Uncaught TypeError: invalid salt length

What am I doing wrong ?

The same function call in Golang with salt having 1024 bytes does not throw any error. https://pkg.go.dev/golang.org/x/crypto/argon2

Thank you.

jedisct1 commented 9 months ago

Try a little bit by yourself, so you get familiar with how to use the library. This is all documented.

vault-thirteen commented 9 months ago

I think, I have found a difference between C and Go libraries. C library measures memory in bytes while Go measures in KiB.

memlimit is the maximum amount of RAM in bytes that the function will use.

However, when I change memory limit to 64 MiB, nothing changes.

let argon2Mem = 64 * 1024 * 1024;

Uncaught TypeError: invalid salt length

  1. There is a minimal limit for iterations count for 2i algorithm, however there is no limit for 2id, so I assume that 1 iteration is accepted.

opslimit, the number of passes, must be at least 3 when using Argon2i.

  1. I see no limits for pwd length in my web browser's console.

sodium.crypto_pwhash_PASSWD_MIN is 0 sodium.crypto_pwhash_PASSWD_MAX is -1

  1. Salt

The crypto_pwhash() function derives an outlen bytes long key from a password passwd whose length is passwdlen and a salt salt whose fixed length is crypto_pwhash_SALTBYTES bytes.

My browser shows that sodium.crypto_pwhash_SALTBYTES is 16. Is this the reason ?

vault-thirteen commented 9 months ago

salt (S): Bytes (8..2^32-1) Salt (16 bytes recommended for password hashing) https://en.wikipedia.org/wiki/Argon2

Is 16 bytes a maximum limit of Argon2ID ? No. It is not a limit. It is just a recommendation, not more than that.

According to encyclopedia Wikipedia, Argon2 algorithm allows salt length to be up to 2^32 minus 1 !

So, I have found a bug in your library. Salt size limit of 16 is a bug.

vault-thirteen commented 9 months ago

Why did you close the issue ? Please, re-open it.

jedisct1 commented 9 months ago

Even against quantum adversaries, there's no point in using more than 128 bits for the salt. This is not even guaranteed to be supported by other algorithms (crypto_pwhash is a high-level function, the underlying algorithm can change).