Closed ihrigb closed 2 years ago
reaperhulk
commented
2 years ago This library uses libsodium, which implements argon2i version 1.3. Looking at node-argon2 and bc it appears they do as well so mismatch is obviously unexpected. If you implement the test vector in https://datatracker.ietf.org/doc/html/rfc9106 section 5.2 do they all get the same value?
ihrigb
commented
2 years ago @reaperhulk I have tried with node-argon2 and PyNaCl. I cannot achieve the correct results of the test vector with both of them, plus the results differ. There are also some things unclear to me:
reaperhulk
commented
2 years ago I'm not sure how to reconcile the test vector with the actual input options actually. It exposes a lot of the internals so that implementers can see where in the various steps their code might be wrong, but even with that I'm not clear on what some of it is intended to be.
That said, I've tested with the argon2 command line app and gotten identical results so I suspect the challenge here is just that various implementations treat arguments differently (see: https://jorgenmodin.net/index_html/getting-the-same-hash-from-antelles-argon2-browser-and-pynacl). If you're still concerned, I'd suggest writing a minimal libsodium reproducer and reporting upstream.
ihrigb
commented
2 years ago Sorry, I do not have the time to do this. I found a lib that actually works for me (libsodium-wrappers).
Hi
I get different results, if I hash a password using Argon2i. I already reported this for the node-argon2 library, but we found that for Java the result is the same as with node. Could be a hint that the issue might be in the Python library. https://github.com/ranisalt/node-argon2/issues/314
Gists: node-argon2: https://gist.github.com/ihrigb/a6160003ff63057c69034ea07e17f2e7 PyNaCl: https://gist.github.com/ihrigb/f3a1415245840326d9fdec18be9ab6e7 Java Bouncycastle: https://gist.github.com/ihrigb/20cf7e321b1faaa9c39de524756bc28d
Is there anybody to provide support in this?