diff --git a/web/docs/dependencies.md b/web/docs/dependencies.md index efdbf617ce..7435d80367 100644 --- a/web/docs/dependencies.md +++ b/web/docs/dependencies.md @@ -48,25 +48,13 @@ The root `package.json` also has a convenience dev dependency: ## Cryptography -We use [libsodium](https://libsodium.gitbook.io/doc/) for encryption, key -generation etc. Specifically, we use its WebAssembly and JS wrappers made using -Emscripten, maintained by the original authors of libsodium themselves - +We use [libsodium](https://libsodium.gitbook.io/doc/) for our cryptography +primitives. Specifically, we use its WebAssembly target, accessible via +JavaScript wrappers maintained by the original authors of libsodium themselves - [libsodium-wrappers](https://github.com/jedisct1/libsodium.js). -Currently, we've pinned the version to 0.7.9 since later versions remove the -`crypto_pwhash_*` functionality that we use (they've not been deprecated, -they've just been moved to a different NPM package). From the (upstream) -[release notes](https://github.com/jedisct1/libsodium/releases/tag/1.0.19-RELEASE): - -> Emscripten: the `crypto_pwhash_*()` functions have been removed from Sumo -> builds, as they reserve a substantial amount of JavaScript memory, even when -> not used. - -This wording is a bit incorrect, they've actually been _added_ to the sumo -builds (See this [issue](https://github.com/jedisct1/libsodium.js/issues/326)). - -Updating it is not a big problem, it is just a pending chore - we want to test a -bit more exhaustively when changing the crypto layer. +We need to use the "sumo" variant, _libsodium-wrappers-sumo_, to get access to +the `crypto_pwhash_*()` functions. ## Meta frameworks diff --git a/web/packages/base/crypto/index.ts b/web/packages/base/crypto/index.ts index 386d1ac7da..c2cf7bc005 100644 --- a/web/packages/base/crypto/index.ts +++ b/web/packages/base/crypto/index.ts @@ -8,7 +8,9 @@ * 3. libsodium-wrappers (JavaScript bindings to libsodium) * * Our cryptography primitives are provided by libsodium, specifically, its - * JavaScript bindings ("libsodium-wrappers"). This is the lowest layer. + * JavaScript bindings ("libsodium-wrappers"). This is the lowest layer. Note + * that we use the sumo variant, "libsodium-wrappers-sumo", since the standard + * variant does not provide the `crypto_pwhash_*` functions. * * Direct usage of "libsodium-wrappers" is restricted to `crypto/libsodium.ts`. * This is the next higher layer. Usually the functions in this file are thin