From 9e7b10164a4dfe6638030f00e46a7f7b7a492cbe Mon Sep 17 00:00:00 2001 From: JoshyPHP Date: Wed, 18 Apr 2018 21:10:26 +0200 Subject: [PATCH] [ticket/15646] Added support for Argon2i passwords PHPBB3-15646 --- .../default/container/services_password.yml | 14 +++ phpBB/phpbb/passwords/driver/argon2i.php | 101 ++++++++++++++++++ tests/passwords/drivers_test.php | 11 +- 3 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 phpBB/phpbb/passwords/driver/argon2i.php diff --git a/phpBB/config/default/container/services_password.yml b/phpBB/config/default/container/services_password.yml index d5f5fe287b..937f656f7c 100644 --- a/phpBB/config/default/container/services_password.yml +++ b/phpBB/config/default/container/services_password.yml @@ -1,4 +1,7 @@ parameters: + passwords.driver.argon2_memory_cost: 1024 + passwords.driver.argon2_threads: 2 + passwords.driver.argon2_time_cost: 2 passwords.driver.bcrypt_cost: 10 services: @@ -27,6 +30,17 @@ services: tags: - { name: service_collection, tag: passwords.driver } + passwords.driver.argon2i: + class: phpbb\passwords\driver\argon2i + arguments: + - '@config' + - '@passwords.driver_helper' + - '%passwords.driver.argon2_memory_cost%' + - '%passwords.driver.argon2_threads%' + - '%passwords.driver.argon2_time_cost%' + tags: + - { name: passwords.driver } + passwords.driver.bcrypt: class: phpbb\passwords\driver\bcrypt arguments: diff --git a/phpBB/phpbb/passwords/driver/argon2i.php b/phpBB/phpbb/passwords/driver/argon2i.php new file mode 100644 index 0000000000..0ae4cea03a --- /dev/null +++ b/phpBB/phpbb/passwords/driver/argon2i.php @@ -0,0 +1,101 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class argon2i extends base +{ + const PREFIX = '$argon2i$'; + + /** @var int Maximum memory (in bytes) that may be used to compute the Argon2 hash */ + protected $memory_cost; + + /** @var int Number of threads to use for computing the Argon2 hash */ + protected $threads; + + /** @var int Maximum amount of time it may take to compute the Argon2 hash */ + protected $time_cost; + + /** + * Constructor of passwords driver object + * + * @param \phpbb\config\config $config phpBB config + * @param \phpbb\passwords\driver\helper $helper Password driver helper + * @param int $memory_cost Maximum memory (optional) + * @param int $threads Number of threads to use (optional) + * @param int $time_cost Maximum amount of time (optional) + */ + public function __construct(\phpbb\config\config $config, helper $helper, $memory_cost = 1024, $threads = 2, $time_cost = 2) + { + parent::__construct($config, $helper); + + // Don't allow cost factors to be below default settings + $this->memory_cost = max($memory_cost, 1024); + $this->threads = max($threads, 2); + $this->time_cost = max($time_cost, 2); + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = []) + { + return password_verify($password, $hash); + } + + /** + * Return the options set for this driver instance + * + * @return array + */ + public function get_options() + { + return [ + 'memory_cost' => $this->memory_cost, + 'time_cost' => $this->time_cost, + 'threads' => $this->threads + ]; + } + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function hash($password) + { + return password_hash($password, PASSWORD_ARGON2I, $this->get_options()); + } + + /** + * {@inheritdoc} + */ + public function is_supported() + { + return defined('PASSWORD_ARGON2I') && function_exists('password_hash') && function_exists('password_needs_rehash') && function_exists('password_verify'); + } + + /** + * {@inheritdoc} + */ + public function needs_rehash($hash) + { + return password_needs_rehash($hash, PASSWORD_ARGON2I, $this->get_options()); + } +} diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php index 01c69a38bb..300c093f12 100644 --- a/tests/passwords/drivers_test.php +++ b/tests/passwords/drivers_test.php @@ -23,6 +23,7 @@ class phpbb_passwords_helper_test extends \phpbb_test_case $php_ext = 'php'; $this->passwords_drivers = array( + 'passwords.driver.argon2i' => new \phpbb\passwords\driver\argon2i($config, $this->driver_helper), 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper, 10), 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper, 10), 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), @@ -422,6 +423,10 @@ class phpbb_passwords_helper_test extends \phpbb_test_case array('passwords.driver.salted_md5', 'foobar', false), array('passwords.driver.bcrypt_2y', '$2y$9$somerandomhash', true), array('passwords.driver.bcrypt', '$2a$04$somerandomhash', true), + array('passwords.driver.argon2i', '$argon2i$v=19$m=1024,t=2,p=2$NEF0S1JSN04yNGQ1UVRKdA$KYGNI9CbjoKh1UEu1PpdlqbuLbveGwkMcwcT2Un9pPM', false), + array('passwords.driver.argon2i', '$argon2i$v=19$m=128,t=2,p=2$M29GUi51QjdKLjIzbC9scQ$6h1gZDqn7JTmVdQ0lJh1x5nyvgO/DaJWUKOFJ0itCJ0', true), + array('passwords.driver.argon2i', '$argon2i$v=19$m=1024,t=1,p=2$UnFHb2F4NER3M0xWWmxMUQ$u3javvoAZJeIyR1P3eg0tb8VjEeXvQPagqwetonq1NA', true), + array('passwords.driver.argon2i', '$argon2i$v=19$m=1024,t=2,p=1$bm5SeGJ3R3ZRY1A0YXJPNg$v1A9m4sJW+ge0RBtpJ4w9861+J9xkguKBAsZHrG8LQU', true), ); } @@ -430,6 +435,10 @@ class phpbb_passwords_helper_test extends \phpbb_test_case */ public function test_needs_rehash($driver, $hash, $expected) { - $this->assertSame($this->passwords_drivers[$driver]->needs_rehash($hash), $expected); + if (!$this->passwords_drivers[$driver]->is_supported()) + { + $this->markTestSkipped($driver . ' is not supported'); + } + $this->assertSame($expected, $this->passwords_drivers[$driver]->needs_rehash($hash)); } }