]> granicus.if.org Git - php/commitdiff
Fix #78269 password_hash uses weak options for argon2
authorRemi Collet <remi@php.net>
Mon, 15 Jul 2019 12:10:38 +0000 (14:10 +0200)
committerRemi Collet <remi@php.net>
Mon, 15 Jul 2019 12:10:38 +0000 (14:10 +0200)
NEWS
ext/standard/php_password.h
ext/standard/tests/password/password_needs_rehash_argon2.phpt

diff --git a/NEWS b/NEWS
index 1ead981d14083312d7aeb27fb78c3f3a79f84f0e..be4b60888f66c004b664cb44e2467bba0af95bab 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -45,6 +45,7 @@ PHP                                                                        NEWS
 - Standard:
   . Fixed bug #78241 (touch() does not handle dates after 2038 in PHP 64-bit).
     (cmb)
+  . Fixed bug #78269 (password_hash uses weak options for argon2). (Remi)
 
 27 Jun 2019, PHP 7.2.20
 
index c7dca7383904baa61acb1416b70883bdee6c329e..ada0c802f274ffa4d6d4cb3f9169b19c7d7ba563 100644 (file)
@@ -33,9 +33,9 @@ PHP_MINIT_FUNCTION(password);
 #define PHP_PASSWORD_BCRYPT_COST 10
 
 #if HAVE_ARGON2LIB
-#define PHP_PASSWORD_ARGON2_MEMORY_COST 1<<10
-#define PHP_PASSWORD_ARGON2_TIME_COST 2
-#define PHP_PASSWORD_ARGON2_THREADS 2
+#define PHP_PASSWORD_ARGON2_MEMORY_COST (64 << 10)
+#define PHP_PASSWORD_ARGON2_TIME_COST 4
+#define PHP_PASSWORD_ARGON2_THREADS 1
 #endif
 
 typedef enum {
index 0b5fede1e358cbc9b63f5c99ffc2fbe8d51511c6..129bed59899ae32f2914c0743aaa1c3a051c4cf9 100644 (file)
@@ -9,14 +9,12 @@ if (!defined('PASSWORD_ARGON2I')) die('skip password_needs_rehash not built with
 
 $hash = password_hash('test', PASSWORD_ARGON2I);
 var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => 1<<17]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => 4]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['threads' => 4]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST +1]));
 echo "OK!";
 ?>
 --EXPECT--
 bool(false)
 bool(true)
 bool(true)
-bool(true)
 OK!