From 2ff5871ff4695f8f5f5aa23126c9ea253b6f4d59 Mon Sep 17 00:00:00 2001 From: JoshyPHP Date: Wed, 18 Apr 2018 21:10:26 +0200 Subject: [ticket/15646] Added support for Argon2i passwords PHPBB3-15646 --- phpBB/phpbb/passwords/driver/argon2i.php | 101 +++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 phpBB/phpbb/passwords/driver/argon2i.php (limited to 'phpBB/phpbb/passwords/driver') diff --git a/phpBB/phpbb/passwords/driver/argon2i.php b/phpBB/phpbb/passwords/driver/argon2i.php new file mode 100644 index 0000000000..0ae4cea03a --- /dev/null +++ b/phpBB/phpbb/passwords/driver/argon2i.php @@ -0,0 +1,101 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class argon2i extends base +{ + const PREFIX = '$argon2i$'; + + /** @var int Maximum memory (in bytes) that may be used to compute the Argon2 hash */ + protected $memory_cost; + + /** @var int Number of threads to use for computing the Argon2 hash */ + protected $threads; + + /** @var int Maximum amount of time it may take to compute the Argon2 hash */ + protected $time_cost; + + /** + * Constructor of passwords driver object + * + * @param \phpbb\config\config $config phpBB config + * @param \phpbb\passwords\driver\helper $helper Password driver helper + * @param int $memory_cost Maximum memory (optional) + * @param int $threads Number of threads to use (optional) + * @param int $time_cost Maximum amount of time (optional) + */ + public function __construct(\phpbb\config\config $config, helper $helper, $memory_cost = 1024, $threads = 2, $time_cost = 2) + { + parent::__construct($config, $helper); + + // Don't allow cost factors to be below default settings + $this->memory_cost = max($memory_cost, 1024); + $this->threads = max($threads, 2); + $this->time_cost = max($time_cost, 2); + } + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = []) + { + return password_verify($password, $hash); + } + + /** + * Return the options set for this driver instance + * + * @return array + */ + public function get_options() + { + return [ + 'memory_cost' => $this->memory_cost, + 'time_cost' => $this->time_cost, + 'threads' => $this->threads + ]; + } + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * {@inheritdoc} + */ + public function hash($password) + { + return password_hash($password, PASSWORD_ARGON2I, $this->get_options()); + } + + /** + * {@inheritdoc} + */ + public function is_supported() + { + return defined('PASSWORD_ARGON2I') && function_exists('password_hash') && function_exists('password_needs_rehash') && function_exists('password_verify'); + } + + /** + * {@inheritdoc} + */ + public function needs_rehash($hash) + { + return password_needs_rehash($hash, PASSWORD_ARGON2I, $this->get_options()); + } +} -- cgit v1.2.1 From a4a5b069ec60bda85b3f5ef9a0c317f2b173ad27 Mon Sep 17 00:00:00 2001 From: JoshyPHP Date: Mon, 15 Apr 2019 17:46:29 +0200 Subject: [ticket/16016] Add a base class for native password hashing PHPBB3-16016 --- phpBB/phpbb/passwords/driver/argon2i.php | 38 ++------------ phpBB/phpbb/passwords/driver/base_native.php | 75 ++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 33 deletions(-) create mode 100644 phpBB/phpbb/passwords/driver/base_native.php (limited to 'phpBB/phpbb/passwords/driver') diff --git a/phpBB/phpbb/passwords/driver/argon2i.php b/phpBB/phpbb/passwords/driver/argon2i.php index 0ae4cea03a..49d7d6393e 100644 --- a/phpBB/phpbb/passwords/driver/argon2i.php +++ b/phpBB/phpbb/passwords/driver/argon2i.php @@ -13,10 +13,8 @@ namespace phpbb\passwords\driver; -class argon2i extends base +class argon2i extends base_native { - const PREFIX = '$argon2i$'; - /** @var int Maximum memory (in bytes) that may be used to compute the Argon2 hash */ protected $memory_cost; @@ -48,15 +46,13 @@ class argon2i extends base /** * {@inheritdoc} */ - public function check($password, $hash, $user_row = []) + public function get_algo_name() { - return password_verify($password, $hash); + return 'PASSWORD_ARGON2I'; } /** - * Return the options set for this driver instance - * - * @return array + * {@inheritdoc} */ public function get_options() { @@ -72,30 +68,6 @@ class argon2i extends base */ public function get_prefix() { - return self::PREFIX; - } - - /** - * {@inheritdoc} - */ - public function hash($password) - { - return password_hash($password, PASSWORD_ARGON2I, $this->get_options()); - } - - /** - * {@inheritdoc} - */ - public function is_supported() - { - return defined('PASSWORD_ARGON2I') && function_exists('password_hash') && function_exists('password_needs_rehash') && function_exists('password_verify'); - } - - /** - * {@inheritdoc} - */ - public function needs_rehash($hash) - { - return password_needs_rehash($hash, PASSWORD_ARGON2I, $this->get_options()); + return '$argon2i$'; } } diff --git a/phpBB/phpbb/passwords/driver/base_native.php b/phpBB/phpbb/passwords/driver/base_native.php new file mode 100644 index 0000000000..87498327f9 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/base_native.php @@ -0,0 +1,75 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +abstract class base_native extends base +{ + /** + * Return the constant name for this driver's algorithm + * + * @link https://www.php.net/manual/en/password.constants.php + * + * @return string + */ + abstract public function get_algo_name(); + + /** + * Return the options set for this driver instance + * + * @return array + */ + abstract public function get_options(); + + /** + * {@inheritdoc} + */ + public function check($password, $hash, $user_row = []) + { + return password_verify($password, $hash); + } + + /** + * Return the value for this driver's algorithm + * + * @return integer + */ + public function get_algo_value() + { + return constant($this->get_algo_name()); + } + + /** + * {@inheritdoc} + */ + public function hash($password) + { + return password_hash($password, $this->get_algo_value(), $this->get_options()); + } + + /** + * {@inheritdoc} + */ + public function is_supported() + { + return defined($this->get_algo_name()) && function_exists('password_hash') && function_exists('password_needs_rehash') && function_exists('password_verify'); + } + + /** + * {@inheritdoc} + */ + public function needs_rehash($hash) + { + return password_needs_rehash($hash, $this->get_algo_value(), $this->get_options()); + } +} -- cgit v1.2.1 From 860a370e8fb04092e0dc7fe7fafba6ec1562bd21 Mon Sep 17 00:00:00 2001 From: JoshyPHP Date: Mon, 15 Apr 2019 18:06:00 +0200 Subject: [ticket/16017] Add support for Argon2id as default password hashing PHPBB3-16017 --- phpBB/phpbb/passwords/driver/argon2id.php | 33 +++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 phpBB/phpbb/passwords/driver/argon2id.php (limited to 'phpBB/phpbb/passwords/driver') diff --git a/phpBB/phpbb/passwords/driver/argon2id.php b/phpBB/phpbb/passwords/driver/argon2id.php new file mode 100644 index 0000000000..9e4b08bbb9 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/argon2id.php @@ -0,0 +1,33 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +class argon2id extends argon2i +{ + /** + * {@inheritdoc} + */ + public function get_algo_name() + { + return 'PASSWORD_ARGON2ID'; + } + + /** + * {@inheritdoc} + */ + public function get_prefix() + { + return '$argon2id$'; + } +} -- cgit v1.2.1 From 186a3d40c60b4d5f11e6f399737557ef08913078 Mon Sep 17 00:00:00 2001 From: rxu Date: Thu, 26 Dec 2019 19:44:22 +0700 Subject: [ticket/16266] Fix argon2 driver issue for Sodium implementation PHPBB3-16266 --- phpBB/phpbb/passwords/driver/argon2i.php | 19 +++++++++++++++---- phpBB/phpbb/passwords/driver/base_native.php | 12 ++++++++++++ 2 files changed, 27 insertions(+), 4 deletions(-) (limited to 'phpBB/phpbb/passwords/driver') diff --git a/phpBB/phpbb/passwords/driver/argon2i.php b/phpBB/phpbb/passwords/driver/argon2i.php index 49d7d6393e..3babbaa780 100644 --- a/phpBB/phpbb/passwords/driver/argon2i.php +++ b/phpBB/phpbb/passwords/driver/argon2i.php @@ -37,10 +37,21 @@ class argon2i extends base_native { parent::__construct($config, $helper); - // Don't allow cost factors to be below default settings - $this->memory_cost = max($memory_cost, 1024); - $this->threads = max($threads, 2); - $this->time_cost = max($time_cost, 2); + if ($this->is_sodium()) + { + // For Sodium implementation, set special cost factor values (since PHP 7.4) + // See https://wiki.php.net/rfc/sodium.argon.hash and PHPBB3-16266 + $this->memory_cost = max($memory_cost, 256*1024); + $this->threads = 1; + $this->time_cost = max($time_cost, 3); + } + else + { + // Otherwise don't allow cost factors to be below default settings + $this->memory_cost = max($memory_cost, 1024); + $this->threads = max($threads, 2); + $this->time_cost = max($time_cost, 2); + } } /** diff --git a/phpBB/phpbb/passwords/driver/base_native.php b/phpBB/phpbb/passwords/driver/base_native.php index 87498327f9..31d3465165 100644 --- a/phpBB/phpbb/passwords/driver/base_native.php +++ b/phpBB/phpbb/passwords/driver/base_native.php @@ -57,6 +57,18 @@ abstract class base_native extends base return password_hash($password, $this->get_algo_value(), $this->get_options()); } + /** + * Check if Sodium implementation for argon2 algorithm is being used + * + * @link https://wiki.php.net/rfc/sodium.argon.hash + * + * @return bool + */ + public function is_sodium() + { + return defined('PASSWORD_ARGON2_PROVIDER') && PASSWORD_ARGON2_PROVIDER == 'sodium'; + } + /** * {@inheritdoc} */ -- cgit v1.2.1 From 5dfba1b06473ecb0298d9b61fd9dec28ac60f884 Mon Sep 17 00:00:00 2001 From: rxu Date: Sat, 28 Dec 2019 00:15:08 +0700 Subject: [ticket/16266] Optimize code PHPBB3-16266 --- phpBB/phpbb/passwords/driver/argon2i.php | 21 ++++++--------------- phpBB/phpbb/passwords/driver/base_native.php | 9 ++++++++- 2 files changed, 14 insertions(+), 16 deletions(-) (limited to 'phpBB/phpbb/passwords/driver') diff --git a/phpBB/phpbb/passwords/driver/argon2i.php b/phpBB/phpbb/passwords/driver/argon2i.php index 3babbaa780..9aa2b6f14c 100644 --- a/phpBB/phpbb/passwords/driver/argon2i.php +++ b/phpBB/phpbb/passwords/driver/argon2i.php @@ -37,21 +37,12 @@ class argon2i extends base_native { parent::__construct($config, $helper); - if ($this->is_sodium()) - { - // For Sodium implementation, set special cost factor values (since PHP 7.4) - // See https://wiki.php.net/rfc/sodium.argon.hash and PHPBB3-16266 - $this->memory_cost = max($memory_cost, 256*1024); - $this->threads = 1; - $this->time_cost = max($time_cost, 3); - } - else - { - // Otherwise don't allow cost factors to be below default settings - $this->memory_cost = max($memory_cost, 1024); - $this->threads = max($threads, 2); - $this->time_cost = max($time_cost, 2); - } + // For Sodium implementation, set special cost factor values (since PHP 7.4) + // See https://wiki.php.net/rfc/sodium.argon.hash and PHPBB3-16266 + // Otherwise don't allow cost factors to be below default settings + $this->memory_cost = ($this->is_sodium()) ? max($memory_cost, 256*1024) : max($memory_cost, 1024); + $this->threads = ($this->is_sodium()) ? 1 : max($threads, 2); + $this->time_cost = ($this->is_sodium()) ? max($time_cost, 3) : max($time_cost, 2); } /** diff --git a/phpBB/phpbb/passwords/driver/base_native.php b/phpBB/phpbb/passwords/driver/base_native.php index 31d3465165..fa4f0995a5 100644 --- a/phpBB/phpbb/passwords/driver/base_native.php +++ b/phpBB/phpbb/passwords/driver/base_native.php @@ -66,7 +66,14 @@ abstract class base_native extends base */ public function is_sodium() { - return defined('PASSWORD_ARGON2_PROVIDER') && PASSWORD_ARGON2_PROVIDER == 'sodium'; + static $is_sodium; + + if (empty($is_sodium)) + { + $is_sodium = defined('PASSWORD_ARGON2_PROVIDER') && PASSWORD_ARGON2_PROVIDER == 'sodium'; + } + + return $is_sodium; } /** -- cgit v1.2.1 From a750372a030c343b4f158be23d8aa3901c6094f3 Mon Sep 17 00:00:00 2001 From: rxu Date: Sat, 28 Dec 2019 01:04:13 +0700 Subject: [ticket/16266] More code optimizing PHPBB3-16266 --- phpBB/phpbb/passwords/driver/argon2i.php | 8 +++++--- phpBB/phpbb/passwords/driver/base_native.php | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'phpBB/phpbb/passwords/driver') diff --git a/phpBB/phpbb/passwords/driver/argon2i.php b/phpBB/phpbb/passwords/driver/argon2i.php index 9aa2b6f14c..575fbf05bd 100644 --- a/phpBB/phpbb/passwords/driver/argon2i.php +++ b/phpBB/phpbb/passwords/driver/argon2i.php @@ -37,9 +37,11 @@ class argon2i extends base_native { parent::__construct($config, $helper); - // For Sodium implementation, set special cost factor values (since PHP 7.4) - // See https://wiki.php.net/rfc/sodium.argon.hash and PHPBB3-16266 - // Otherwise don't allow cost factors to be below default settings + /** + * For Sodium implementation of argon2 algorithm, set special cost factor values (since PHP 7.4) + * See https://wiki.php.net/rfc/sodium.argon.hash and PHPBB3-16266 + * Don't allow cost factors to be below default settings where possible + */ $this->memory_cost = ($this->is_sodium()) ? max($memory_cost, 256*1024) : max($memory_cost, 1024); $this->threads = ($this->is_sodium()) ? 1 : max($threads, 2); $this->time_cost = ($this->is_sodium()) ? max($time_cost, 3) : max($time_cost, 2); diff --git a/phpBB/phpbb/passwords/driver/base_native.php b/phpBB/phpbb/passwords/driver/base_native.php index fa4f0995a5..ab2e9f83a4 100644 --- a/phpBB/phpbb/passwords/driver/base_native.php +++ b/phpBB/phpbb/passwords/driver/base_native.php @@ -68,7 +68,7 @@ abstract class base_native extends base { static $is_sodium; - if (empty($is_sodium)) + if (!isset($is_sodium)) { $is_sodium = defined('PASSWORD_ARGON2_PROVIDER') && PASSWORD_ARGON2_PROVIDER == 'sodium'; } -- cgit v1.2.1 From d000717d341a2c12099b0fba3ab677bbb0f2340c Mon Sep 17 00:00:00 2001 From: rxu Date: Sat, 28 Dec 2019 02:11:58 +0700 Subject: [ticket/16266] More code optimizing PHPBB3-16266 --- phpBB/phpbb/passwords/driver/argon2i.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'phpBB/phpbb/passwords/driver') diff --git a/phpBB/phpbb/passwords/driver/argon2i.php b/phpBB/phpbb/passwords/driver/argon2i.php index 575fbf05bd..f4a6e3e644 100644 --- a/phpBB/phpbb/passwords/driver/argon2i.php +++ b/phpBB/phpbb/passwords/driver/argon2i.php @@ -42,9 +42,9 @@ class argon2i extends base_native * See https://wiki.php.net/rfc/sodium.argon.hash and PHPBB3-16266 * Don't allow cost factors to be below default settings where possible */ - $this->memory_cost = ($this->is_sodium()) ? max($memory_cost, 256*1024) : max($memory_cost, 1024); - $this->threads = ($this->is_sodium()) ? 1 : max($threads, 2); - $this->time_cost = ($this->is_sodium()) ? max($time_cost, 3) : max($time_cost, 2); + $this->memory_cost = $this->is_sodium() ? max($memory_cost, 256 * 1024) : max($memory_cost, 1024); + $this->threads = $this->is_sodium() ? 1 : max($threads, 2); + $this->time_cost = $this->is_sodium() ? max($time_cost, 3) : max($time_cost, 2); } /** -- cgit v1.2.1 From 3669849368b8b39d661e08c2476c510cd4fc7445 Mon Sep 17 00:00:00 2001 From: rxu Date: Sat, 28 Dec 2019 12:20:51 +0700 Subject: [ticket/16266] Refactor patch using argon2 predefined constants PHPBB3-16266 --- phpBB/phpbb/passwords/driver/argon2i.php | 9 +++++---- phpBB/phpbb/passwords/driver/base_native.php | 19 ------------------- 2 files changed, 5 insertions(+), 23 deletions(-) (limited to 'phpBB/phpbb/passwords/driver') diff --git a/phpBB/phpbb/passwords/driver/argon2i.php b/phpBB/phpbb/passwords/driver/argon2i.php index f4a6e3e644..f622ad889b 100644 --- a/phpBB/phpbb/passwords/driver/argon2i.php +++ b/phpBB/phpbb/passwords/driver/argon2i.php @@ -38,13 +38,14 @@ class argon2i extends base_native parent::__construct($config, $helper); /** - * For Sodium implementation of argon2 algorithm, set special cost factor values (since PHP 7.4) + * For Sodium implementation of argon2 algorithm (since PHP 7.4), set special value of 1 for "threads" cost factor * See https://wiki.php.net/rfc/sodium.argon.hash and PHPBB3-16266 * Don't allow cost factors to be below default settings where possible */ - $this->memory_cost = $this->is_sodium() ? max($memory_cost, 256 * 1024) : max($memory_cost, 1024); - $this->threads = $this->is_sodium() ? 1 : max($threads, 2); - $this->time_cost = $this->is_sodium() ? max($time_cost, 3) : max($time_cost, 2); + $this->memory_cost = max($memory_cost, PASSWORD_ARGON2_DEFAULT_MEMORY_COST); + $this->time_cost = max($time_cost, PASSWORD_ARGON2_DEFAULT_TIME_COST); + $this->threads = (defined('PASSWORD_ARGON2_PROVIDER') && PASSWORD_ARGON2_PROVIDER == 'sodium') ? + PASSWORD_ARGON2_DEFAULT_THREADS : max($threads, PASSWORD_ARGON2_DEFAULT_THREADS); } /** diff --git a/phpBB/phpbb/passwords/driver/base_native.php b/phpBB/phpbb/passwords/driver/base_native.php index ab2e9f83a4..87498327f9 100644 --- a/phpBB/phpbb/passwords/driver/base_native.php +++ b/phpBB/phpbb/passwords/driver/base_native.php @@ -57,25 +57,6 @@ abstract class base_native extends base return password_hash($password, $this->get_algo_value(), $this->get_options()); } - /** - * Check if Sodium implementation for argon2 algorithm is being used - * - * @link https://wiki.php.net/rfc/sodium.argon.hash - * - * @return bool - */ - public function is_sodium() - { - static $is_sodium; - - if (!isset($is_sodium)) - { - $is_sodium = defined('PASSWORD_ARGON2_PROVIDER') && PASSWORD_ARGON2_PROVIDER == 'sodium'; - } - - return $is_sodium; - } - /** * {@inheritdoc} */ -- cgit v1.2.1 From c71d4c364adc27dfecd60b47857968f1050f6df6 Mon Sep 17 00:00:00 2001 From: rxu Date: Sun, 29 Dec 2019 16:09:17 +0700 Subject: [ticket/16266] Prevent "Use of undefined constant" warning in tests PHPBB3-16266 --- phpBB/phpbb/passwords/driver/argon2i.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'phpBB/phpbb/passwords/driver') diff --git a/phpBB/phpbb/passwords/driver/argon2i.php b/phpBB/phpbb/passwords/driver/argon2i.php index f622ad889b..bf4d6ec33a 100644 --- a/phpBB/phpbb/passwords/driver/argon2i.php +++ b/phpBB/phpbb/passwords/driver/argon2i.php @@ -37,6 +37,14 @@ class argon2i extends base_native { parent::__construct($config, $helper); + // Workaround to prevent "Use of undefined constant" warning on some unsupported PHP installations + if (!defined('PASSWORD_ARGON2I')) + { + define('PASSWORD_ARGON2_DEFAULT_MEMORY_COST', 1024); + define('PASSWORD_ARGON2_DEFAULT_TIME_COST', 2); + define('PASSWORD_ARGON2_DEFAULT_THREADS', 1); + } + /** * For Sodium implementation of argon2 algorithm (since PHP 7.4), set special value of 1 for "threads" cost factor * See https://wiki.php.net/rfc/sodium.argon.hash and PHPBB3-16266 -- cgit v1.2.1 From 9fa058a8bd66966082d624aacb65aa4abb46ef98 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 5 Jan 2020 14:58:17 +0100 Subject: [ticket/16266] Remove extra declaration of constants PHPBB3-16266 --- phpBB/phpbb/passwords/driver/argon2i.php | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) (limited to 'phpBB/phpbb/passwords/driver') diff --git a/phpBB/phpbb/passwords/driver/argon2i.php b/phpBB/phpbb/passwords/driver/argon2i.php index bf4d6ec33a..03368f6361 100644 --- a/phpBB/phpbb/passwords/driver/argon2i.php +++ b/phpBB/phpbb/passwords/driver/argon2i.php @@ -37,23 +37,15 @@ class argon2i extends base_native { parent::__construct($config, $helper); - // Workaround to prevent "Use of undefined constant" warning on some unsupported PHP installations - if (!defined('PASSWORD_ARGON2I')) - { - define('PASSWORD_ARGON2_DEFAULT_MEMORY_COST', 1024); - define('PASSWORD_ARGON2_DEFAULT_TIME_COST', 2); - define('PASSWORD_ARGON2_DEFAULT_THREADS', 1); - } - /** * For Sodium implementation of argon2 algorithm (since PHP 7.4), set special value of 1 for "threads" cost factor * See https://wiki.php.net/rfc/sodium.argon.hash and PHPBB3-16266 * Don't allow cost factors to be below default settings where possible */ - $this->memory_cost = max($memory_cost, PASSWORD_ARGON2_DEFAULT_MEMORY_COST); - $this->time_cost = max($time_cost, PASSWORD_ARGON2_DEFAULT_TIME_COST); + $this->memory_cost = max($memory_cost, defined('PASSWORD_ARGON2_DEFAULT_MEMORY_COST') ? PASSWORD_ARGON2_DEFAULT_MEMORY_COST : 1024); + $this->time_cost = max($time_cost, defined('PASSWORD_ARGON2_DEFAULT_TIME_COST') ? PASSWORD_ARGON2_DEFAULT_TIME_COST : 2); $this->threads = (defined('PASSWORD_ARGON2_PROVIDER') && PASSWORD_ARGON2_PROVIDER == 'sodium') ? - PASSWORD_ARGON2_DEFAULT_THREADS : max($threads, PASSWORD_ARGON2_DEFAULT_THREADS); + PASSWORD_ARGON2_DEFAULT_THREADS : max($threads, defined('PASSWORD_ARGON2_DEFAULT_THREADS') ? PASSWORD_ARGON2_DEFAULT_THREADS : 1); } /** -- cgit v1.2.1