Relax argon2 mem_cost down to 64k, bump time_cost to 4

sgolemon · sgolemon · commit f65956e4fb4d · 2019-07-09T11:36:48.000-04:00
diff --git a/ext/sodium/sodium_pwhash.c b/ext/sodium/sodium_pwhash.c
@@ -29,16 +29,15 @@
 #if SODIUM_LIBRARY_VERSION_MAJOR > 9 || (SODIUM_LIBRARY_VERSION_MAJOR == 9 && SODIUM_LIBRARY_VERSION_MINOR >= 6)
 
 /**
- * OPSLIMIT and MEMLIMIT are taken from libsodium's MODERATE values.
  * MEMLIMIT is normalized to KB even though sodium uses Bytes in order to
  * present a consistent user-facing API.
  *
  * Threads are fixed at 1 by libsodium.
  *
  * When updating these values, synchronize ext/standard/php_password.h values.
  */
-#define PHP_SODIUM_PWHASH_MEMLIMIT (256 << 10)
-#define PHP_SODIUM_PWHASH_OPSLIMIT 3
+#define PHP_SODIUM_PWHASH_MEMLIMIT (64 << 10)
+#define PHP_SODIUM_PWHASH_OPSLIMIT 4
 #define PHP_SODIUM_PWHASH_THREADS 1
 
 static zend_string *php_sodium_argon2_hash(const zend_string *password, zend_array *options, int alg) {
diff --git a/ext/sodium/tests/php_password_hash_argon2i.phpt b/ext/sodium/tests/php_password_hash_argon2i.phpt
@@ -36,38 +36,38 @@ foreach([1, 2, 4] as $mem) {
 --EXPECTF--
 Argon2 provider: string(%d) "%s"
 Using password: string(44) "%s"
-Hash: string(97) "$argon2i$v=19$m=262144,t=3,p=1$%s$%s"
+Hash: string(96) "$argon2i$v=19$m=65536,t=4,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(97) "$argon2i$v=19$m=262144,t=6,p=1$%s$%s"
+Hash: string(96) "$argon2i$v=19$m=65536,t=8,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(98) "$argon2i$v=19$m=262144,t=12,p=1$%s$%s"
+Hash: string(97) "$argon2i$v=19$m=65536,t=16,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(97) "$argon2i$v=19$m=524288,t=3,p=1$%s$%s"
+Hash: string(97) "$argon2i$v=19$m=131072,t=4,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(97) "$argon2i$v=19$m=524288,t=6,p=1$%s$%s"
+Hash: string(97) "$argon2i$v=19$m=131072,t=8,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(98) "$argon2i$v=19$m=524288,t=12,p=1$%s$%s"
+Hash: string(98) "$argon2i$v=19$m=131072,t=16,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(98) "$argon2i$v=19$m=1048576,t=3,p=1$%s$%s"
+Hash: string(97) "$argon2i$v=19$m=262144,t=4,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(98) "$argon2i$v=19$m=1048576,t=6,p=1$%s$%s"
+Hash: string(97) "$argon2i$v=19$m=262144,t=8,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(99) "$argon2i$v=19$m=1048576,t=12,p=1$%s$%s"
+Hash: string(98) "$argon2i$v=19$m=262144,t=16,p=1$%s$%s"
 bool(true)
 bool(false)
diff --git a/ext/sodium/tests/php_password_hash_argon2id.phpt b/ext/sodium/tests/php_password_hash_argon2id.phpt
@@ -36,38 +36,39 @@ foreach([1, 2, 4] as $mem) {
 --EXPECTF--
 Argon2 provider: string(%d) "%s"
 Using password: string(44) "%s"
-Hash: string(98) "$argon2id$v=19$m=262144,t=3,p=1$%s$%s"
+Hash: string(97) "$argon2id$v=19$m=65536,t=4,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(98) "$argon2id$v=19$m=262144,t=6,p=1$%s$%s"
+Hash: string(97) "$argon2id$v=19$m=65536,t=8,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(99) "$argon2id$v=19$m=262144,t=12,p=1$%s$%s"
+Hash: string(98) "$argon2id$v=19$m=65536,t=16,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(98) "$argon2id$v=19$m=524288,t=3,p=1$%s$%s"
+Hash: string(98) "$argon2id$v=19$m=131072,t=4,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(98) "$argon2id$v=19$m=524288,t=6,p=1$%s$%s"
+Hash: string(98) "$argon2id$v=19$m=131072,t=8,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(99) "$argon2id$v=19$m=524288,t=12,p=1$%s$%s"
+Hash: string(99) "$argon2id$v=19$m=131072,t=16,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(99) "$argon2id$v=19$m=1048576,t=3,p=1$%s$%s"
+Hash: string(98) "$argon2id$v=19$m=262144,t=4,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(99) "$argon2id$v=19$m=1048576,t=6,p=1$%s$%s"
+Hash: string(98) "$argon2id$v=19$m=262144,t=8,p=1$%s$%s"
 bool(true)
 bool(false)
 Using password: string(44) "%s"
-Hash: string(100) "$argon2id$v=19$m=1048576,t=12,p=1$%s$%s"
+Hash: string(99) "$argon2id$v=19$m=262144,t=16,p=1$%s$%s"
 bool(true)
 bool(false)
+
diff --git a/ext/standard/php_password.h b/ext/standard/php_password.h
@@ -34,14 +34,11 @@ PHP_MSHUTDOWN_FUNCTION(password);
 
 #if HAVE_ARGON2LIB
 /**
- * OPSLIMIT and MEMLIMIT are taken from libsodium's MODERATE values.
- * Threads are fixed at 1 by libsodium.
- *
  * When updating these values, synchronize ext/sodium/sodium_pwhash.c values.
  * Note that libargon expresses memlimit in KB, while libsoidum uses bytes.
  */
-#define PHP_PASSWORD_ARGON2_MEMORY_COST (256 << 10)
-#define PHP_PASSWORD_ARGON2_TIME_COST 3
+#define PHP_PASSWORD_ARGON2_MEMORY_COST (64 << 10)
+#define PHP_PASSWORD_ARGON2_TIME_COST 4
 #define PHP_PASSWORD_ARGON2_THREADS 1
 #endif
 
diff --git a/ext/standard/tests/password/password_needs_rehash_argon2.phpt b/ext/standard/tests/password/password_needs_rehash_argon2.phpt
@@ -10,24 +10,20 @@ if (!defined('PASSWORD_ARGON2ID')) die('skip password_hash not built with Argon2
 
 $hash = password_hash('test', PASSWORD_ARGON2I);
 var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => 1<<17]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => 4]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['threads' => 4]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1]));
 
 $hash = password_hash('test', PASSWORD_ARGON2ID);
 var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => 1<<17]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => 4]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['threads' => 4]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1]));
+
 echo "OK!";
-?>
 --EXPECT--
 bool(false)
 bool(true)
 bool(true)
-bool(true)
 bool(false)
 bool(true)
 bool(true)
-bool(true)
 OK!
