From b7f2f9307b2cb920bba9cecb2599c4469d74127f Mon Sep 17 00:00:00 2001 From: MichaIng Date: Tue, 28 Apr 2020 21:04:34 +0200 Subject: [PATCH] Fix Argon2 options checks The minimum for memory cost is 8 KiB per thread. Threads must be checked and set first to allow checking against the correct memory cost mimimum. Options are now applied the following way: - If config.php contains the setting with an integer higher or equal to the minimum, it is applied. - If config.php contains the setting with an integer lower than the minimum, the minimum is applied. - If config.php does not contain the setting or with no integer value, the PHP default is applied. Signed-off-by: MichaIng Signed-off-by: Roeland Jago Douma --- lib/private/Security/Hasher.php | 15 +++++---------- tests/lib/Security/HasherTest.php | 5 +++++ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/lib/private/Security/Hasher.php b/lib/private/Security/Hasher.php index a65ecabb620..a331a7eedde 100644 --- a/lib/private/Security/Hasher.php +++ b/lib/private/Security/Hasher.php @@ -63,16 +63,11 @@ class Hasher implements IHasher { if (\defined('PASSWORD_ARGON2I')) { // password_hash fails, when the minimum values are undershot. - // In this case, ignore and revert to default - if ($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 8) { - $this->options['memory_cost'] = $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST); - } - if ($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) { - $this->options['time_cost'] = $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST); - } - if ($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) { - $this->options['threads'] = $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS); - } + // In this case, apply minimum. + $this->options['threads'] = max($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS), 1); + // The minimum memory cost is 8 KiB per thread. + $this->options['memory_cost'] = max($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST), $this->options['threads'] * 8); + $this->options['time_cost'] = max($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST), 1); } $hashingCost = $this->config->getSystemValue('hashingCost', null); diff --git a/tests/lib/Security/HasherTest.php b/tests/lib/Security/HasherTest.php index c994b68f781..58d36ff54f7 100644 --- a/tests/lib/Security/HasherTest.php +++ b/tests/lib/Security/HasherTest.php @@ -102,6 +102,11 @@ class HasherTest extends \Test\TestCase { $this->config = $this->createMock(IConfig::class); + $this->config->method('getSystemValueInt') + ->willReturnCallback(function ($name, $default) { + return $default; + }); + $this->hasher = new Hasher($this->config); } -- 2.39.5