Reputation: 2937
I'm trying to figure out how to use the new libsodium
features in php7.2, but for some reason I can't seem to get sodium_crypto_pwhash_str_verify()
to work properly.
I decided to actually use the given example in their documentation: https://paragonie.com/blog/2017/06/libsodium-quick-reference-quick-comparison-similar-functions-and-which-one-use#crypto-pwhash-sample-php
Sample code from libsodium themselves:
Note: I've contacted the author about the sample code and it has now been fixed! So the example below is outdated. (2018-05-30)
(the only adjustment that I made is the $passwort = "test"
and echo
s)
<?php
$password = "test"; // by me
/* This uses Argon2i with two numeric constants that correspond to
* the number of passes (OPSLIMIT) and the amount of memory to use
* (MEMLIMIT). A higher OPSLIMIT helps against CPU attacks, while a
* higher MEMLIMIT helps against GPU attacks.
*/
$storeInDatabase = sodium_crypto_pwhash_str(
$password,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
);
/* Once that's stored, you can just test against the hash like so: */
if (sodium_crypto_pwhash_str_verify($password, $storeInDatabase)) {
/* Logged in! */
echo "works!"; // by me
} else {
/* Incorrect password. */
echo "failed!"; // by me
}
Since I am hashing and verifying with the same $password
and $storeInDatabase
, this should always print "works!"
, but it doesn't.
What am I doing wrong here? Sadly, php.net doesn't have any useful documentation for the sodium
functions yet.
For Reference:
http://php.net/manual/en/function.sodium-crypto-pwhash-str.php
http://php.net/manual/en/function.sodium-crypto-pwhash-str-verify.php
Upvotes: 2
Views: 916
Reputation: 1716
You have $password
and $storeInDatabase
the wrong way around
It should be:
if (sodium_crypto_pwhash_str_verify($storeInDatabase,$password)) {
From the docs:
bool sodium_crypto_pwhash_str_verify ( string $hash , string $password )
Upvotes: 3