Expose Argon2 password derivation
haggholm opened this issue · 3 comments
The README (very correctly) notes that you should not derive a key without running it through a strengthening function like PBKDF2, but libsodium itself already ships with one—Argon2. From brief inspection, it seems that the nacl_raw
property (the WASM code?) contains this functionality, e.g. nacl_raw._crypto_pwhash_argon2id_alg_argon2id13
et al.
I’d love to create a PR, but having no experience with WASM-compiled code, I worry that a half-baked PR is more likely to either be a nuisance or a security hole; looking at nacl_cooked.js
, I am guessing it isn’t a very big task…for someone who knows what they’re doing, which (alas) I here do not.
Any chance of exposing the Argon2 API?
Would you be able to draft some (failing) test cases and documentation, do you think? I think then it'd be straightforward to write the wrapper stubs and get the tests to pass.
Thank you for the quick reply! I should make it very clear that I’m quite new to the whole setup (emscripten, wasm, and not least NaCl/libsodium itself), so I may be botching conventions quite badly, or even misusing it. In trying to piece together a solution by combining your docs (+TS bindings) and the docs at https://libsodium.gitbook.io/doc/, it seems to me that what I’m missing is what fails here:
https://github.com/haggholm/nacl-test
Since I’m just starting to look at it, I may be providing bad inputs &c., but it seems to me that it should be possible to get it and https://github.com/ranisalt/node-argon2 to generate the same output. (And I’d much rather do it through js-nacl
, since as I understand it, I should be able to run the same code in Node.js and the browser.)
That sounds about right. Can you make a PR that integrates with the test cases and docs (such as they are) as they stand?