diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2020-03-05 08:40:04 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-03-05 08:40:04 +0100 |
| commit | 53a907f7a8a0832082aee80d6f124cf183a80d3a (patch) | |
| tree | 7fc35a11577ade28a775b6fb5d3470f82ae8e074 | |
| parent | e01c9b8f8e19590ab94c25f7b13a7239e18085b6 (diff) | |
| parent | 518789aa7377acba21c3e8da974e120f24cfc895 (diff) | |
| download | nextcloud-server-53a907f7a8a0832082aee80d6f124cf183a80d3a.tar.gz nextcloud-server-53a907f7a8a0832082aee80d6f124cf183a80d3a.zip | |
Merge pull request #19095 from nextcloud/backport/19023/stable17
[stable17] expose Argon2 options (as we did for bcrypt)
| -rw-r--r-- | config/config.sample.php | 32 | ||||
| -rw-r--r-- | lib/private/Security/Hasher.php | 14 |
2 files changed, 46 insertions, 0 deletions
diff --git a/config/config.sample.php b/config/config.sample.php index e6ef5d90797..c840bdd116e 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -1422,6 +1422,38 @@ $CONFIG = array( 'tempdirectory' => '/tmp/nextcloudtemp', /** + * Hashing + * + * Nextcloud uses the Argon2 algorithm (available with PHP >= 7.2 if compiled + * with it) to create hashes by its own and exposes its configuration options as + * following. The default depends on the PHP build. More information can be + * found at: https://www.php.net/manual/en/function.password-hash.php + */ + +/** + * The allowed maximum memory in KiB to be used by the algorithm for computing a + * hash. The smallest possible value is 8. Values that undershoot the minimum + * will be ignored in favor of the default. + */ +'hashingMemoryCost' => 65536, + +/** + * The allowed maximum time in seconds that can be used by the algorithm for + * computing a hash. The value must be an integer, and the minimum value is 1. + * Values that undershoot the minimum will be ignored in favor of the default. + */ +'hashingTimeCost' => 4, + +/** + * The allowed number of CPU threads that can be used by the algorithm for + * computing a hash. The value must be an integer, and the minimum value is 1. + * Rationally it does not help to provide a number higher than the available + * threads on the machine. Values that undershoot the minimum will be ignored + * in favor of the default. + */ +'hashingThreads' => 1, + +/** * The hashing cost used by hashes generated by Nextcloud * Using a higher value requires more time and CPU power to calculate the hashes */ diff --git a/lib/private/Security/Hasher.php b/lib/private/Security/Hasher.php index e20de729f4f..a65ecabb620 100644 --- a/lib/private/Security/Hasher.php +++ b/lib/private/Security/Hasher.php @@ -61,6 +61,20 @@ class Hasher implements IHasher { public function __construct(IConfig $config) { $this->config = $config; + if (\defined('PASSWORD_ARGON2I')) { + // password_hash fails, when the minimum values are undershot. + // In this case, ignore and revert to default + if ($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 8) { + $this->options['memory_cost'] = $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST); + } + if ($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) { + $this->options['time_cost'] = $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST); + } + if ($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) { + $this->options['threads'] = $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS); + } + } + $hashingCost = $this->config->getSystemValue('hashingCost', null); if(!\is_null($hashingCost)) { $this->options['cost'] = $hashingCost; |