diff options
| author | Remi Collet <remi@php.net> | 2019-07-15 14:11:30 +0200 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2019-07-15 14:11:30 +0200 |
| commit | a7ff3a648336c33cfd8c7b63199bc7b0e49fbdea (patch) | |
| tree | 8158717ed8ecb594ccfca475aba9d3de6bba8699 | |
| parent | 193f28c7d557df887c4456d072113cc2478e1c3e (diff) | |
| download | php-git-a7ff3a648336c33cfd8c7b63199bc7b0e49fbdea.tar.gz | |
Fix #78269 password_hash uses weak options for argon2
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/standard/php_password.h | 6 | ||||
| -rw-r--r-- | ext/standard/tests/password/password_needs_rehash_argon2.phpt | 14 |
3 files changed, 9 insertions, 12 deletions
@@ -46,6 +46,7 @@ PHP NEWS - Standard: . Fixed #78241 (touch() does not handle dates after 2038 in PHP 64-bit). (cmb) + . Fixed bug #78269 (password_hash uses weak options for argon2). (Remi) 04 Jul 2019, PHP 7.3.7 diff --git a/ext/standard/php_password.h b/ext/standard/php_password.h index 0c2f83c650..f9b55be8f6 100644 --- a/ext/standard/php_password.h +++ b/ext/standard/php_password.h @@ -31,9 +31,9 @@ PHP_MINIT_FUNCTION(password); #define PHP_PASSWORD_BCRYPT_COST 10 #if HAVE_ARGON2LIB -#define PHP_PASSWORD_ARGON2_MEMORY_COST 1<<10 -#define PHP_PASSWORD_ARGON2_TIME_COST 2 -#define PHP_PASSWORD_ARGON2_THREADS 2 +#define PHP_PASSWORD_ARGON2_MEMORY_COST (64 << 10) +#define PHP_PASSWORD_ARGON2_TIME_COST 4 +#define PHP_PASSWORD_ARGON2_THREADS 1 #endif typedef enum { diff --git a/ext/standard/tests/password/password_needs_rehash_argon2.phpt b/ext/standard/tests/password/password_needs_rehash_argon2.phpt index 9552be1dc9..69588d02ad 100644 --- a/ext/standard/tests/password/password_needs_rehash_argon2.phpt +++ b/ext/standard/tests/password/password_needs_rehash_argon2.phpt @@ -10,24 +10,20 @@ if (!defined('PASSWORD_ARGON2ID')) die('skip password_hash not built with Argon2 $hash = password_hash('test', PASSWORD_ARGON2I); var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I)); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => 1<<17])); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => 4])); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['threads' => 4])); +var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2])); +var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1])); $hash = password_hash('test', PASSWORD_ARGON2ID); var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID)); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => 1<<17])); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => 4])); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['threads' => 4])); +var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2])); +var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1])); + echo "OK!"; -?> --EXPECT-- bool(false) bool(true) bool(true) -bool(true) bool(false) bool(true) bool(true) -bool(true) OK! |