Closed vault-thirteen closed 9 months ago
Try a little bit by yourself, so you get familiar with how to use the library. This is all documented.
I think, I have found a difference between C and Go libraries. C library measures memory in bytes while Go measures in KiB.
memlimit is the maximum amount of RAM in bytes that the function will use.
However, when I change memory limit to 64 MiB, nothing changes.
let argon2Mem = 64 * 1024 * 1024;
Uncaught TypeError: invalid salt length
opslimit, the number of passes, must be at least 3 when using Argon2i.
sodium.crypto_pwhash_PASSWD_MIN is 0 sodium.crypto_pwhash_PASSWD_MAX is -1
The crypto_pwhash() function derives an outlen bytes long key from a password passwd whose length is passwdlen and a salt salt whose fixed length is crypto_pwhash_SALTBYTES bytes.
My browser shows that sodium.crypto_pwhash_SALTBYTES is 16. Is this the reason ?
salt (S): Bytes (8..2^32-1) Salt (16 bytes recommended for password hashing) https://en.wikipedia.org/wiki/Argon2
Is 16 bytes a maximum limit of Argon2ID ? No. It is not a limit. It is just a recommendation, not more than that.
According to encyclopedia Wikipedia, Argon2 algorithm allows salt length to be up to 2^32 minus 1 !
So, I have found a bug in your library. Salt size limit of 16 is a bug.
Why did you close the issue ? Please, re-open it.
Even against quantum adversaries, there's no point in using more than 128 bits for the salt. This is not even guaranteed to be supported by other algorithms (crypto_pwhash
is a high-level function, the underlying algorithm can change).
result is:
What am I doing wrong ?
The same function call in Golang with salt having 1024 bytes does not throw any error. https://pkg.go.dev/golang.org/x/crypto/argon2
Thank you.