Removing Argon2d, changing config arg to --with-password-argon2

Argon2d is not suitable for password_hashing. To ensure best practices
within password_*, Argon2d was removed.

--with-argon2 implies the full feature set of Argon2, whereas this
feature only implements Argon2i within password_*. Consequently
the feature flag was renamed to --with-password-argon2

Author: charlesportwoodii

ext/standard/config.m4

@@ -553,8 +553,8 @@ AC_CHECK_DECLS([getrandom])
 dnl
 dnl Check for argon2
 dnl
-PHP_ARG_WITH(argon2, for Argon2 support,
-[  --with-argon2[=DIR]           Include Argon2 support in password_*. DIR is the Argon2 shared library path]])
+PHP_ARG_WITH(password-argon2, for Argon2 support,
+[  --with-password-argon2[=DIR]           Include Argon2 support in password_*. DIR is the Argon2 shared library path]])
 
 if test "$PHP_ARGON2" != "no"; then
   AC_MSG_CHECKING([for Argon2 library])

ext/standard/config.w32

@@ -1,7 +1,7 @@
 // vim:ft=javascript
 // $Id$
 
-ARG_WITH("argon2", "Argon2 support", "no");
+ARG_WITH("password-argon2", "Argon2 support", "no");
 
 if (PHP_ARGON2 != "no") {
 	if (CHECK_LIB("Argon2Ref.lib", null, PHP_ARGON2)

ext/standard/password.c

@@ -45,7 +45,6 @@ PHP_MINIT_FUNCTION(password) /* {{{ */
 	REGISTER_LONG_CONSTANT("PASSWORD_BCRYPT", PHP_PASSWORD_BCRYPT, CONST_CS | CONST_PERSISTENT);
 #if HAVE_ARGON2LIB
 	REGISTER_LONG_CONSTANT("PASSWORD_ARGON2I", PHP_PASSWORD_ARGON2I, CONST_CS | CONST_PERSISTENT);
-	REGISTER_LONG_CONSTANT("PASSWORD_ARGON2D", PHP_PASSWORD_ARGON2D, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("PASSWORD_ARGON2", PHP_PASSWORD_ARGON2, CONST_CS | CONST_PERSISTENT);
 #endif
 
@@ -68,8 +67,6 @@ static char* php_password_get_algo_name(const php_password_algo algo)
 #if HAVE_ARGON2LIB
 		case PHP_PASSWORD_ARGON2I:
 			return "argon2i";
-		case PHP_PASSWORD_ARGON2D:
-			return "argon2d";	
 #endif
 		case PHP_PASSWORD_UNKNOWN:
 		default:
@@ -85,8 +82,6 @@ static php_password_algo php_password_determine_algo(const char *hash, const siz
 #if HAVE_ARGON2LIB
 	if (len >= sizeof("$argon2i$")-1 && !memcmp(hash, "$argon2i$", sizeof("$argon2i$")-1)) {
     	return PHP_PASSWORD_ARGON2I;
-	} else if (len >= sizeof("$argon2d$")-1 && !memcmp(hash, "$argon2d$", sizeof("$argon2d$")-1)) {
-		return PHP_PASSWORD_ARGON2D;
 	}
 #endif
 
@@ -198,14 +193,13 @@ PHP_FUNCTION(password_get_info)
 			break;
 #if HAVE_ARGON2LIB
 		case PHP_PASSWORD_ARGON2I:
-		case PHP_PASSWORD_ARGON2D:
 			{
 				zend_long v = 0;
 				zend_long m_cost = PHP_PASSWORD_ARGON2_MEMORY_COST;
 				zend_long t_cost = PHP_PASSWORD_ARGON2_TIME_COST;
 				zend_long threads = PHP_PASSWORD_ARGON2_THREADS;
 
-				sscanf(hash, "$%*[argon2id]$v=" ZEND_LONG_FMT "$m=" ZEND_LONG_FMT ",t=" ZEND_LONG_FMT ",p=" ZEND_LONG_FMT, &v, &m_cost, &t_cost, &threads);
+				sscanf(hash, "$%*[argon2i]$v=" ZEND_LONG_FMT "$m=" ZEND_LONG_FMT ",t=" ZEND_LONG_FMT ",p=" ZEND_LONG_FMT, &v, &m_cost, &t_cost, &threads);
 				add_assoc_long(&options, "m_cost", m_cost);
 				add_assoc_long(&options, "t_cost", t_cost);
 				add_assoc_long(&options, "threads", threads);
@@ -263,7 +257,6 @@ PHP_FUNCTION(password_needs_rehash)
 			break;
 #if HAVE_ARGON2LIB
 		case PHP_PASSWORD_ARGON2I:
-		case PHP_PASSWORD_ARGON2D:
 			{
 				zend_long v = 0;
 				zend_long new_m_cost = PHP_PASSWORD_ARGON2_MEMORY_COST, m_cost = 0;
@@ -282,7 +275,7 @@ PHP_FUNCTION(password_needs_rehash)
 					new_threads = zval_get_long(option_buffer);
 				}
 
-				sscanf(hash, "$%*[argon2id]$v=" ZEND_LONG_FMT "$m=" ZEND_LONG_FMT ",t=" ZEND_LONG_FMT ",p=" ZEND_LONG_FMT, &v, &m_cost, &t_cost, &threads);
+				sscanf(hash, "$%*[argon2i]$v=" ZEND_LONG_FMT "$m=" ZEND_LONG_FMT ",t=" ZEND_LONG_FMT ",p=" ZEND_LONG_FMT, &v, &m_cost, &t_cost, &threads);
 
 				if (new_t_cost != t_cost || new_m_cost != m_cost || new_threads != threads) {
 					RETURN_TRUE;
@@ -317,16 +310,9 @@ PHP_FUNCTION(password_verify)
 	switch(algo) {
 #if HAVE_ARGON2LIB
 		case PHP_PASSWORD_ARGON2I:
-		case PHP_PASSWORD_ARGON2D:
 			{
 				argon2_type type = Argon2_i;
 
-				if (algo == PHP_PASSWORD_ARGON2I) {
-					type = Argon2_i;
-				} else if (algo == PHP_PASSWORD_ARGON2D) {
-					type = Argon2_d;
-				}
-
 				status = argon2_verify(hash, password, password_len, type);
 
 				if (status == ARGON2_OK) {
@@ -412,7 +398,6 @@ PHP_FUNCTION(password_hash)
 			break;
 #if HAVE_ARGON2LIB
 		case PHP_PASSWORD_ARGON2I:
-		case PHP_PASSWORD_ARGON2D:
 			{
 				if (options && (option_buffer = zend_hash_str_find(options, "m_cost", sizeof("m_cost")-1)) != NULL) {
 					m_cost = zval_get_long(option_buffer);
@@ -441,12 +426,6 @@ PHP_FUNCTION(password_hash)
 					RETURN_NULL();
 				}
 
-				if (algo == PHP_PASSWORD_ARGON2D) {
-					type = Argon2_d;
-				} else if (algo == PHP_PASSWORD_ARGON2I) {
-					type = Argon2_i;
-				}
-
 				required_salt_len = 16;
 			}
 			break;
@@ -547,7 +526,6 @@ PHP_FUNCTION(password_hash)
 			break;
 #if HAVE_ARGON2LIB
 		case PHP_PASSWORD_ARGON2I:
-		case PHP_PASSWORD_ARGON2D:
 			{
 				size_t out_len = 32;
 				size_t encoded_len;

ext/standard/php_password.h

@@ -43,8 +43,7 @@ typedef enum {
     PHP_PASSWORD_UNKNOWN,
     PHP_PASSWORD_BCRYPT,
 #if HAVE_ARGON2LIB
-    PHP_PASSWORD_ARGON2D,
-    PHP_PASSWORD_ARGON2I
+    PHP_PASSWORD_ARGON2I,
 #endif
 } php_password_algo;
 

ext/standard/tests/password/password_get_info_argon2.phpt

@@ -6,16 +6,14 @@ if (!defined('PASSWORD_ARGON2')) die('Skipped: password_get_info not built with
 ?>
 --FILE--
 <?php
-// Test Argon2i
+
 var_dump(password_get_info('$argon2i$v=19$m=65536,t=3,p=1$SWhIcG5MT21Pc01PbWdVZw$WagZELICsz7jlqOR2YzoEVTWb2oOX1tYdnhZYXxptbU'));
-// Test Argon2d
-var_dump(password_get_info('$argon2d$v=19$m=32768,t=2,p=1$YWpxd0VYRW9MLmp6VjFPZw$pWV5IsbBfjEK5c0bHzvAo0FsDNHUyM4p6j8vf2cxzb8'));
 echo "OK!";
 ?>
 --EXPECT--
 array(3) {
   ["algo"]=>
-  int(3)
+  int(2)
   ["algoName"]=>
   string(7) "argon2i"
   ["options"]=>
@@ -28,19 +26,4 @@ array(3) {
     int(1)
   }
 }
-array(3) {
-  ["algo"]=>
-  int(2)
-  ["algoName"]=>
-  string(7) "argon2d"
-  ["options"]=>
-  array(3) {
-    ["m_cost"]=>
-    int(32768)
-    ["t_cost"]=>
-    int(2)
-    ["threads"]=>
-    int(1)
-  }
-}
 OK!

ext/standard/tests/password/password_hash_argon2.phpt

@@ -14,13 +14,9 @@ var_dump(password_verify($password, $hash));
 $hash = password_hash($password, PASSWORD_ARGON2I);
 var_dump(password_verify($password, $hash));
 
-$hash = password_hash($password, PASSWORD_ARGON2D);
-var_dump(password_verify($password, $hash));
-
 echo "OK!";
 ?>
 --EXPECT--
 bool(true)
 bool(true)
-bool(true)
 OK!

ext/standard/tests/password/password_needs_rehash_argon2.phpt

@@ -6,12 +6,16 @@ if (!defined('PASSWORD_ARGON2')) die('Skipped: password_get_info not built with
 ?>
 --FILE--
 <?php
-var_dump(password_needs_rehash('$argon2i$v=19$m=65536,t=3,p=1$YkprUktYN0lHQTd2bWRFeA$79aA+6IvgclpDAJVoezProlqzIPy7do/P0sBDXS9Nn0', PASSWORD_ARGON2, ['m_cost' => 1<<17]));
-var_dump(password_needs_rehash('$argon2i$v=19$m=65536,t=3,p=1$YkprUktYN0lHQTd2bWRFeA$79aA+6IvgclpDAJVoezProlqzIPy7do/P0sBDXS9Nn0', PASSWORD_ARGON2, ['t_cost' => 2]));
-var_dump(password_needs_rehash('$argon2i$v=19$m=65536,t=3,p=1$YkprUktYN0lHQTd2bWRFeA$79aA+6IvgclpDAJVoezProlqzIPy7do/P0sBDXS9Nn0', PASSWORD_ARGON2, ['threads' => 2]));
+
+$hash = '$argon2i$v=19$m=65536,t=3,p=1$YkprUktYN0lHQTd2bWRFeA$79aA+6IvgclpDAJVoezProlqzIPy7do/P0sBDXS9Nn0';
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2, ['m_cost' => 1<<17]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2, ['t_cost' => 2]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2, ['threads' => 2]));
 echo "OK!";
 ?>
 --EXPECT--
+bool(false)
 bool(true)
 bool(true)
 bool(true)

ext/standard/tests/password/password_verify_argon2.phpt

@@ -7,10 +7,6 @@ if (!defined('PASSWORD_ARGON2')) die('Skipped: password_get_info not built with
 --FILE--
 <?php
 
-var_dump(password_verify('test', '$argon2d$v=19$m=32768,t=2,p=1$YWpxd0VYRW9MLmp6VjFPZw$pWV5IsbBfjEK5c0bHzvAo0FsDNHUyM4p6j8vf2cxzb8'));
-
-var_dump(password_verify('argon2', '$argon2d$v=19$m=32768,t=2,p=1$YWpxd0VYRW9MLmp6VjFPZw$pWV5IsbBfjEK5c0bHzvAo0FsDNHUyM4p6j8vf2cxzb8'));
-
 var_dump(password_verify('test', '$argon2i$v=19$m=65536,t=3,p=1$OEVjWWs2Z3YvWlNZQ0ZmNw$JKin7ahjmh8JYvMyFcXri0Ss/Uvd3uYpD7MG6C/5Cy0'));
 
 var_dump(password_verify('argon2', '$argon2i$v=19$m=65536,t=3,p=1$OEVjWWs2Z3YvWlNZQ0ZmNw$JKin7ahjmh8JYvMyFcXri0Ss/Uvd3uYpD7MG6C/5Cy0'));
@@ -19,6 +15,4 @@ echo "OK!";
 --EXPECT--
 bool(true)
 bool(false)
-bool(true)
-bool(false)
 OK!