Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[Security] Do not mix password_*() API with libsodium one #29863
Argon2IPasswordEncoder uses native
This was fine at time the encoder was introduced, but meanwhile libsodium changed the algorithm used by
However, the PHP installation may change as time goes by, and could suddenly embed the Argon2 core integration. In this case, the encoder would use the
Side note: I'm currently working on a new implementation for 4.3 that will properly supports argon2id (which has been added to the PHP core sodium integration in 7.3) and argon2i, distinctively.