Argon2 string methods include trailing null byte terminators
Closed this issue · 1 comments
To reproduce, install the Sodium.Core package from NuGet and use the following in a .NET Core 6.0 app:
using Sodium;
var paddedString = PasswordHash.ArgonHashString(
somePassword,
PasswordHash.StrengthArgon.Moderate);
var paddedLength = paddedString.Length; // 128
var trimmedString = paddedString.TrimEnd('\0');
var trimmedStringLength = trimmed.Length; // <128
This is pretty low-impact, since the corresponding ArgonHashStringVerify
and ArgonPasswordNeedsRehash
methods happily accept the padded strings, but it does cause some oddities for other software. For example, if I store the padded strings in a SQLite database, then DB Browser for SQLite refuses to show them as strings, and instead displays them as byte arrays. I'd imagine that other Argon libraries might throw or do weird things if given one of these padded strings, so there's a potential interop issue there (although the fix is pretty simple; just call TrimEnd('\0')
first) .
The string is meant to be zero-terminated, as explained here. However, the output could be trimmed and then the input for verification could be made zero-terminated as a workaround.