Katai
Katai

Reputation: 2937

php sodium_crypto_pwhash_str_verify() fails

I'm trying to figure out how to use the new libsodium features in php7.2, but for some reason I can't seem to get sodium_crypto_pwhash_str_verify() to work properly.

I decided to actually use the given example in their documentation: https://paragonie.com/blog/2017/06/libsodium-quick-reference-quick-comparison-similar-functions-and-which-one-use#crypto-pwhash-sample-php

Sample code from libsodium themselves:

Note: I've contacted the author about the sample code and it has now been fixed! So the example below is outdated. (2018-05-30)

(the only adjustment that I made is the $passwort = "test" and echos)

<?php
$password = "test"; // by me

/* This uses Argon2i with two numeric constants that correspond to
 * the number of passes (OPSLIMIT) and the amount of memory to use
 * (MEMLIMIT). A higher OPSLIMIT helps against CPU attacks, while a
 * higher MEMLIMIT helps against GPU attacks.
 */
$storeInDatabase = sodium_crypto_pwhash_str(
    $password, 
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
);

/* Once that's stored, you can just test against the hash like so: */
if (sodium_crypto_pwhash_str_verify($password, $storeInDatabase)) {
    /* Logged in! */
    echo "works!"; // by me
} else {
    /* Incorrect password. */
    echo "failed!"; // by me
}

Since I am hashing and verifying with the same $password and $storeInDatabase, this should always print "works!", but it doesn't.

What am I doing wrong here? Sadly, php.net doesn't have any useful documentation for the sodium functions yet.

For Reference:

http://php.net/manual/en/function.sodium-crypto-pwhash-str.php

http://php.net/manual/en/function.sodium-crypto-pwhash-str-verify.php

Upvotes: 2

Views: 916

Answers (1)

IsThisJavascript
IsThisJavascript

Reputation: 1716

You have $password and $storeInDatabase the wrong way around

It should be:

if (sodium_crypto_pwhash_str_verify($storeInDatabase,$password)) {

From the docs:

bool sodium_crypto_pwhash_str_verify ( string $hash , string $password )

Upvotes: 3

Related Questions