Max Salt Length Issue?

[Bug-Reaper]

I see we've capped the max salt length to 64 bytes.

traits/password-hash/src/salt.rs

Line 112 in 8bb3381

if length > Self::MAX_LENGTH {

I am re-implementing an old argon2id hash implementation that used salt of length of ~410bytes. As far as I was aware there is no max-salt length for argon2id but perhaps I'm mistaken?

EDIT: Quick google search and it does appear we should be able to use salts much larger than 64 bytes. Sorry if this is the wrong place to ask about this, new to rust and crates ecosystem.

[Bug-Reaper]

Further digging and this does appear to be a very intentional choice and in conflict with the Argon2 spec.

traits/password-hash/src/salt.rs

Lines 55 to 78 in 8bb3381

	/// A maximum length is enforced based on the above recommendation for
	/// supporting stack-allocated buffers (which this library uses), and the
	/// specific determination of 48-bytes is taken as a best practice from the
	/// [Argon2 Encoding][3] specification in the same document:
	///
	/// > The length in bytes of the salt is between 8 and 48 bytes<sup>†</sup>, thus
	/// > yielding a length in characters between 11 and 64 characters (and that
	/// > length is never equal to 1 modulo 4). The default byte length of the salt
	/// > is 16 bytes (22 characters in B64 encoding). An encoded UUID, or a
	/// > sequence of 16 bytes produced with a cryptographically strong PRNG, are
	/// > appropriate salt values.
	/// >
	/// > <sup>†</sup>The Argon2 specification states that the salt can be much longer, up
	/// > to 2^32-1 bytes, but this makes little sense for password hashing.
	/// > Specifying a relatively small maximum length allows for parsing with a
	/// > stack allocated buffer.)
	///
	/// Based on this guidance, this type enforces an upper bound of 64-bytes
	/// as a reasonable maximum, and recommends using 16-bytes.
	///
	/// [1]: https://en.wikipedia.org/wiki/Rainbow_table
	/// [2]: https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md#function-duties
	/// [3]: https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md#argon2-encoding
	#[derive(Copy, Clone, Eq, PartialEq)]

I'd very much like to see this limit up-ed, anyone that decided to use >64byte salts via another implementation cannot properly compare their old hashes via this library.

Further:

• The link in question backing this decision does not even mention any type of artificial maximum salt-length
• There is room for us to support larger-salts AND get better performance (See argon2: optimized implementation password-hashes#104 (comment) (GO and C routines with large-salt support and faster perf)

I'm open to other suggestions, hoping this is as simple as changing the defined max size constant. Please help my poor orphaned and unverifiable hashes that used big-salts.

[newpavlov]

This restriction applies only to the PHC format. You can call methods on the Argon2 struct directly, they accept salts with lengths of up to 0xFFFFFFFF bytes.

[tarcieri]

Yes, the cap in the PHC format is mandated by the spec, and as @newpavlov said, if you want to avoid that don't go through the PHC string format APIs.