-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Argon2::Password.verify_password can only verify passwords with default Salt lengths #14
Comments
Hi, Thanks for this report. I'm going to take some time to look into an appropriate solution. Trying to mess with this has a knock-on effect of messing with the ENCODE_LEN constant, which exists in Ruby outside the C wrapper. Being in this position would also involve messing with a recommended default, which I've been trying to discourage people from doing. Regardless, let me look into a solution. |
It would appear that my concerns related only to creating a hash. I'm pushing a fix now however that should allow it to verify existing hashes, which I've tested against your examples. |
Any idea when we might see this in a release? |
@micahhainline Given it's a bugfix, I will push a new release if no issues come up in another 24 hours. |
@technion wow! This is setting the bar for responsiveness! Thanks for turning it around so quickly! |
@micahhainline No worries - it's a legit bug and can be fixed in a non-breaking way. |
@micahhainline @asynchrony-ringo Version 1.1.1 has been tagged and pushed. |
The verify_password method will return false when attempting to validate Argon2 encodings generated with a salt length different from the default 16.
This means encodings generated within the gem validate properly but encodings generated outside of the gem will fail when validating with the gem unless the Salt length matches the gem's default.
Moving existing Argon2 encodings into a system using this gem may then require regenerating all encodings.
Below I've put together test cases using the gem's validation and encodings generated via command line using Argon2 v1.3.
Gem Generated Password Validates
Argon2 1.3 Generated Password Following Gem Defaults Validates
Argon2 1.3 Generated Password With Shorter Salt Fails Validation
Argon2 1.3 Generated Password With Longer Salt Fails Validation
The text was updated successfully, but these errors were encountered: