Open dewyatt opened 4 years ago
Oh that is terrible. Sorry. I think Scrypt is affected in the same way.
I think strictly SemVer speaking we can't change this. But we can add a new variant of botan_pwdhash_timed
that does it correctly (and with a test to verify we get it right this time), then deprecate the current one.
Yeah I saw scrypt has the same issue after I posted this :(. I should note that I'm using these APIs via botan-rs (derive_key_from_password*
). How do you plan to handle it on that end?
Re botan-rs I'm not positive, but first inclination would be basically same approach as in FFI, add an alternate API, deprecate current. In botan-rs case we are not 1.0 so I would probably remove the current versions after a release or three.
I could be missing something, but I found this to be confusing:
This will trigger an assertion on the second call because the parameters (as in param*) do not map in the same order between these functions.
botan_pwdhash
usesfrom_params
which constructs Argon2_Family withM, t, p
, butbotan_pwdhash_timed
returnsiterations(), parallelism(), memory_param()
(t, p, M
).