Skip to content

SaltToShort check should be droppped. #53

Description

@AlexanderSchuetz97

Hello,

I am trying to write a program that derrives a AES key from a password.
The entire program has to be compatible with existing java software. I.e the java code and the rust application have to
get the same key from the same input.

The java application uses a 4 byte salt that is set to a constant value for all inputs.
This step cannot be repated using your rust library as it will always fail with Error SaltToShort.

I have verified that all other parameters are compatible and rust and java arrive at the same result by changeing the java program to use 8 byte salt. This is however not feasable as this obvieusly changes the resulting AES key for the same password.
I can obvieusly not "keep" this change in the java program as there is tons of existing data that was encrypted using 4 byte salt keys that
the new rust application now has to decrypt.

I have checked the bouncy castle java library that the java application uses for argon2 and it appears to have no check whatsoever in terms of length. It even supports passing no salt at all. This java library is very mature and has a wide adoption. (Its older than rust itself)

My suggestion is to drop all salt length checks and ensure that the outputs are the same than what the bouncy castle java library would produce.

For me personally I think just changeing the constant from 8 to 4 would already solve all my issues... However I think there are other people out there that may have used any number of bytes smaller than 4 as a "fake" salt to derrive keys from a password.

This is the relevant java code from the bouncy castle library. As you can see there are no checks concerning length.
grafik

The "null == octets" check can be ignored as you can just pass a 0 length array as parameter to bypass it.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions