Skip to content

Commit a7ff3a6

Browse files
remicolletremicollet
committed
Fix #78269 password_hash uses weak options for argon2
1 parent 193f28c commit a7ff3a6

File tree

3 files changed

+9
-12
lines changed

3 files changed

+9
-12
lines changed

NEWS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ PHP NEWS
4646

4747
- Standard:
4848
. Fixed #78241 (touch() does not handle dates after 2038 in PHP 64-bit). (cmb)
49+
. Fixed bug #78269 (password_hash uses weak options for argon2). (Remi)
4950

5051
04 Jul 2019, PHP 7.3.7
5152

ext/standard/php_password.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -31,9 +31,9 @@ PHP_MINIT_FUNCTION(password);
3131
#define PHP_PASSWORD_BCRYPT_COST 10
3232

3333
#if HAVE_ARGON2LIB
34-
#define PHP_PASSWORD_ARGON2_MEMORY_COST 1<<10
35-
#define PHP_PASSWORD_ARGON2_TIME_COST 2
36-
#define PHP_PASSWORD_ARGON2_THREADS 2
34+
#define PHP_PASSWORD_ARGON2_MEMORY_COST (64 << 10)
35+
#define PHP_PASSWORD_ARGON2_TIME_COST 4
36+
#define PHP_PASSWORD_ARGON2_THREADS 1
3737
#endif
3838

3939
typedef enum {

ext/standard/tests/password/password_needs_rehash_argon2.phpt

Lines changed: 5 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -10,24 +10,20 @@ if (!defined('PASSWORD_ARGON2ID')) die('skip password_hash not built with Argon2
1010

1111
$hash = password_hash('test', PASSWORD_ARGON2I);
1212
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I));
13-
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => 1<<17]));
14-
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => 4]));
15-
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['threads' => 4]));
13+
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2]));
14+
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1]));
1615

1716
$hash = password_hash('test', PASSWORD_ARGON2ID);
1817
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID));
19-
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => 1<<17]));
20-
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => 4]));
21-
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['threads' => 4]));
18+
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2]));
19+
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1]));
20+
2221
echo "OK!";
23-
?>
2422
--EXPECT--
2523
bool(false)
2624
bool(true)
2725
bool(true)
28-
bool(true)
2926
bool(false)
3027
bool(true)
3128
bool(true)
32-
bool(true)
3329
OK!

0 commit comments

Comments
 (0)