Fix #78269 password_hash uses weak options for argon2

author Remi Collet <remi@php.net>

Mon, 15 Jul 2019 12:11:30 +0000 (14:11 +0200)

committer Remi Collet <remi@php.net>

Mon, 15 Jul 2019 12:11:30 +0000 (14:11 +0200)
author Remi Collet <remi@php.net>
Mon, 15 Jul 2019 12:11:30 +0000 (14:11 +0200)
committer Remi Collet <remi@php.net>
Mon, 15 Jul 2019 12:11:30 +0000 (14:11 +0200)
diff --git a/NEWS b/NEWS

index 2720214724fded76df846c6cc28d7e9bcc214e89..9c9b805cf6de57d7f97fae2fb0c8291692b3ab8f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,7 @@ PHP                                                                        NEWS
  
  - Standard:
    . Fixed #78241 (touch() does not handle dates after 2038 in PHP 64-bit). (cmb)
+  . Fixed bug #78269 (password_hash uses weak options for argon2). (Remi)
  
  04 Jul 2019, PHP 7.3.7
  
diff --git a/ext/standard/php_password.h b/ext/standard/php_password.h

index 0c2f83c6501f9c795b4665d81f4fbc88929c133e..f9b55be8f6cda1860ecabe54795b6d46ebb5d1db 100644 (file)
--- a/ext/standard/php_password.h
+++ b/ext/standard/php_password.h
@@ -31,9 +31,9 @@ PHP_MINIT_FUNCTION(password);
  #define PHP_PASSWORD_BCRYPT_COST 10
  
  #if HAVE_ARGON2LIB
-#define PHP_PASSWORD_ARGON2_MEMORY_COST 1<<10
-#define PHP_PASSWORD_ARGON2_TIME_COST 2
-#define PHP_PASSWORD_ARGON2_THREADS 2
+#define PHP_PASSWORD_ARGON2_MEMORY_COST (64 << 10)
+#define PHP_PASSWORD_ARGON2_TIME_COST 4
+#define PHP_PASSWORD_ARGON2_THREADS 1
  #endif
  
  typedef enum {
diff --git a/ext/standard/tests/password/password_needs_rehash_argon2.phpt b/ext/standard/tests/password/password_needs_rehash_argon2.phpt

index 9552be1dc924a1f8feed561273e864086916339d..69588d02ad4a371e9696e00fa2da9d7d07240e16 100644 (file)
--- a/ext/standard/tests/password/password_needs_rehash_argon2.phpt
+++ b/ext/standard/tests/password/password_needs_rehash_argon2.phpt
@@ -10,24 +10,20 @@ if (!defined('PASSWORD_ARGON2ID')) die('skip password_hash not built with Argon2
  
  $hash = password_hash('test', PASSWORD_ARGON2I);
  var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => 1<<17]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => 4]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['threads' => 4]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1]));
  
  $hash = password_hash('test', PASSWORD_ARGON2ID);
  var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => 1<<17]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => 4]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['threads' => 4]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1]));
+
  echo "OK!";
-?>
  --EXPECT--
  bool(false)
  bool(true)
  bool(true)
-bool(true)
  bool(false)
  bool(true)
  bool(true)
-bool(true)
  OK!
author	Remi Collet <remi@php.net>
	Mon, 15 Jul 2019 12:11:30 +0000 (14:11 +0200)
committer	Remi Collet <remi@php.net>
	Mon, 15 Jul 2019 12:11:30 +0000 (14:11 +0200)
NEWS		patch \| blob \| history
ext/standard/php_password.h		patch \| blob \| history
ext/standard/tests/password/password_needs_rehash_argon2.phpt		patch \| blob \| history