|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81491 Incorrectly using libsodium for argon2 hashing
Submitted: 2021-09-30 17:32 UTC Modified: 2021-09-30 18:00 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: dpock at liquidweb dot com Assigned:
Status: Closed Package: *Compile Issues
PHP Version: 8.1Git-2021-09-30 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: dpock at liquidweb dot com
New email:
PHP Version: OS:


 [2021-09-30 17:32 UTC] dpock at liquidweb dot com
It appears that PHP-8.1 branch is no longer compiling libargon2 support correctly. The effect of this vary depending on if libsodium is present too.

When libsodium is present, the issue is observed are:
* Cannot use threads option when hashing with argon2,
* PASSWORD_ARGON2_PROVIDER reports as 'sodium'

When libsodium is not present, the issue observed is:
* Error stating argon2 is not supported


Note: Left OS blank as this affects my Mac, as well as linux based GitHub runners.


I have 'confirmed' this bug by compiling PHP 8.0 and PHP 8.1 using the same settings. When using PHP 8.0 w/o sodium I can still use argon2, and similarly the threads option works when hashing.

I've also made a "PR" that confirms PHP 8.1 works when I revert a commit to load argon2 via `pkg-config` rather than config flags. This PR is here:

Test script:
This bug was initially found by Dries Vints via failing CI tests here:

He was observing the issue with "threads" value greater than 1 causing an error. This is behavior you'd only expect if PHP were compiled with ONLY libsodium. However the GitHub runner's in use should be compiling with BOTH libsodium and libargon2. We can be confident they are compiling in this manner as PHP 8.0 runners (from the same source) are working correctly.

Expected result:
PHP should know it has access to both `libsodium` and `libargon2` when compiled in this manner.

As such, when PHP compiles with both libs, we should see:
* PASSWORD_ARGON2_PROVIDER should be 'standard', and
* password_hash should accept `threads` > 1 when using argon2.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-09-30 18:00 UTC] dpock at liquidweb dot com
After further investigation I found the root cause to be that `HAVE_ARGON2LIB` was not being defined when the argon2 config flag is set.

I've updated the patch in the PR to reflect this here:
 [2021-10-01 08:09 UTC]
Automatic comment on behalf of mallardduck (author) and nikic (committer)
Log: Fix bug #81491: Ensure HAVE_ARGON2LIB is set when compiling using libargon2
 [2021-10-01 08:09 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 14 23:01:30 2024 UTC