Closed ihrigb closed 2 years ago
This library uses libsodium, which implements argon2i version 1.3. Looking at node-argon2 and bc it appears they do as well so mismatch is obviously unexpected. If you implement the test vector in https://datatracker.ietf.org/doc/html/rfc9106 section 5.2 do they all get the same value?
@reaperhulk I have tried with node-argon2 and PyNaCl. I cannot achieve the correct results of the test vector with both of them, plus the results differ. There are also some things unclear to me:
I'm not sure how to reconcile the test vector with the actual input options actually. It exposes a lot of the internals so that implementers can see where in the various steps their code might be wrong, but even with that I'm not clear on what some of it is intended to be.
That said, I've tested with the argon2
command line app and gotten identical results so I suspect the challenge here is just that various implementations treat arguments differently (see: https://jorgenmodin.net/index_html/getting-the-same-hash-from-antelles-argon2-browser-and-pynacl). If you're still concerned, I'd suggest writing a minimal libsodium reproducer and reporting upstream.
Sorry, I do not have the time to do this. I found a lib that actually works for me (libsodium-wrappers).
Hi
I get different results, if I hash a password using Argon2i. I already reported this for the node-argon2 library, but we found that for Java the result is the same as with node. Could be a hint that the issue might be in the Python library. https://github.com/ranisalt/node-argon2/issues/314
Gists: node-argon2: https://gist.github.com/ihrigb/a6160003ff63057c69034ea07e17f2e7 PyNaCl: https://gist.github.com/ihrigb/f3a1415245840326d9fdec18be9ab6e7 Java Bouncycastle: https://gist.github.com/ihrigb/20cf7e321b1faaa9c39de524756bc28d
Is there anybody to provide support in this?