libsodium-net icon indicating copy to clipboard operation
libsodium-net copied to clipboard

Published 20 hours ago verified publisher icon adamcaudill

PasswordHash uses wrong algorithm (crypto_pwhash_ALG_ARGON2I13)

Open peterhirn opened this issue 6 years ago • 0 comments
trafficstars

Hello,

I'm hashing passwords with custom salts. Comparing the results with https://github.com/antelle/argon2-browser it turns out, this library is using crypto_pwhash_ALG_ARGON2I13 instead of crypto_pwhash_ALG_ARGON2ID13.

I think ARGON_ALGORITHM_DEFAULT should be 2, not 1 as defined in PasswordHash.cs.

See https://github.com/jedisct1/libsodium/blob/master/src/libsodium/include/sodium/crypto_pwhash.h

#define crypto_pwhash_ALG_ARGON2ID13 crypto_pwhash_argon2id_ALG_ARGON2ID13
...
#define crypto_pwhash_ALG_DEFAULT crypto_pwhash_ALG_ARGON2ID13

and https://github.com/jedisct1/libsodium/blob/master/src/libsodium/include/sodium/crypto_pwhash_argon2id.h

#define crypto_pwhash_argon2id_ALG_ARGON2ID13 2

Sorry for everyone who has this in production, your hashes are 'optimized to resist side-channel attacks'.

peterhirn avatar Jul 19 '19 12:07 peterhirn