sodium encryption misuses crypto_pwhash API

[dgl]

Steps to reproduce

1. Review: https://github.com/vim/vim/blob/master/src/crypt.c#L883-L884
2. See https://github.com/jedisct1/libsodium/blob/master/src/libsodium/include/sodium/crypto_pwhash.h#L97-L102

Nothing stores the parameters used for the password hash function. Libsodium is currently using argon2id, but those constants could change per the libsodium API docs.

Expected behaviour

cryptmethod=xchacha20 should store the parameters to the pwhash function.

Given the docs say this format is currently experimental it should be possible to add the parameters somewhere to provide algorithm agility.

[cc: @chrisbra]

Version of Vim

9.0.1429

Environment

Anything with libsodium enabled.

Logs and stack traces

No response

[dgl]

BTW, I've not fully reviewed the xchacha20 method, it looks sane, but given an omission like this I'd far prefer to see something like age's scrypt format added to Vim, so it is interoperable with other tools, but that's getting more into a feature request than this issue.

[chrisbra]

Thanks for the review. Do you mean more like using crypto_pwhash_ALG_ARGON2ID13, crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE and crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE explicitly or are you more thinking of making this configurable for the user? (e.g. like a hyptothetical :set cryptoptions=pwhash:alg_argon2id3 etc)?

Using those defines explicitly would mean, we stay compatible and be sure to decrypt old encrypted files (at least if the implementation does not change) at the same time, we possibly wouldn't notice when a more secure default is selected in libsodium.

[chrisbra]

Ah, I might have misunderstood. I think you want us to store those constants together with the hash?

[brammool]

I suppose the values of crypto_pwhash_OPSLIMIT_INTERACTIVE, crypto_pwhash_MEMLIMIT_INTERACTIVE and crypto_pwhash_ALG_DEFAULT need to be stored in the header, like salt and seed. Since the header size changes, this requires a new ctrypt method "magic name".
For the implementation we'll also need to make a difference between an init for creating a file (which would store the values in the header) and for reading a file (which would use the values from the header). This takes some effort to keep this working with the various crypt methods, but it should not be too difficult.
Do we somehow need to validate the values passed to crypto_pwhash() or will it do that internally?
@chrisbra - are you up for making these changes?

[chrisbra]

Yes, I'll have a look later, once I am back from vacation.

[chrisbra]

fixed as of aae5834