feature #26175 [Security] Add configuration for Argon2i encryption (CoalaJoe)

fabpot · fabpot · commit efaf1d6d7f91 · 2018-02-20T21:36:26.000+01:00
This PR was merged into the 4.1-dev branch. Discussion ---------- [Security] Add configuration for Argon2i encryption | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #26174 | License | MIT | Doc PR | [#9300](symfony/symfony-docs#9300) Feedback? Current situation: Configuration only applies if argon2i is natively supported. Commits ------- 1300fece5f [Security] Add configuration for Argon2i encryption
diff --git a/Encoder/Argon2iPasswordEncoder.php b/Encoder/Argon2iPasswordEncoder.php
@@ -17,9 +17,30 @@
  * Argon2iPasswordEncoder uses the Argon2i hashing algorithm.
  *
  * @author Zan Baldwin <hello@zanbaldwin.com>
+ * @author Dominik Müller <dominik.mueller@jkweb.ch>
  */
 class Argon2iPasswordEncoder extends BasePasswordEncoder implements SelfSaltingEncoderInterface
 {
+    private $config = array();
+
+    /**
+     * Argon2iPasswordEncoder constructor.
+     *
+     * @param int|null $memoryCost memory usage of the algorithm
+     * @param int|null $timeCost   number of iterations
+     * @param int|null $threads    number of parallel threads
+     */
+    public function __construct(int $memoryCost = null, int $timeCost = null, int $threads = null)
+    {
+        if (\defined('PASSWORD_ARGON2I')) {
+            $this->config = array(
+                'memory_cost' => $memoryCost ?? \PASSWORD_ARGON2_DEFAULT_MEMORY_COST,
+                'time_cost' => $timeCost ?? \PASSWORD_ARGON2_DEFAULT_TIME_COST,
+                'threads' => $threads ?? \PASSWORD_ARGON2_DEFAULT_THREADS,
+            );
+        }
+    }
+
     public static function isSupported()
     {
         if (\defined('PASSWORD_ARGON2I')) {
@@ -81,7 +102,7 @@ public function isPasswordValid($encoded, $raw, $salt)
 
     private function encodePasswordNative($raw)
     {
-        return password_hash($raw, \PASSWORD_ARGON2I);
+        return password_hash($raw, \PASSWORD_ARGON2I, $this->config);
     }
 
     private function encodePasswordSodiumFunction($raw)
diff --git a/Encoder/EncoderFactory.php b/Encoder/EncoderFactory.php
@@ -111,7 +111,11 @@ private function getEncoderConfigFromAlgorithm($config)
             case 'argon2i':
                 return array(
                     'class' => Argon2iPasswordEncoder::class,
-                    'arguments' => array(),
+                    'arguments' => array(
+                        $config['memory_cost'],
+                        $config['time_cost'],
+                        $config['threads'],
+                    ),
                 );
         }
 
diff --git a/Tests/Encoder/Argon2iPasswordEncoderTest.php b/Tests/Encoder/Argon2iPasswordEncoderTest.php
@@ -28,6 +28,14 @@ protected function setUp()
         }
     }
 
+    public function testValidationWithConfig()
+    {
+        $encoder = new Argon2iPasswordEncoder(4, 4, 1);
+        $result = $encoder->encodePassword(self::PASSWORD, null);
+        $this->assertTrue($encoder->isPasswordValid($result, self::PASSWORD, null));
+        $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
+    }
+
     public function testValidation()
     {
         $encoder = new Argon2iPasswordEncoder();

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,14 @@ protected function setUp()`
`28`	`28`	`}`
`29`	`29`	`}`
`30`	`30`
	`31`	`+ public function testValidationWithConfig()`
	`32`	`+ {`
	`33`	`+ $encoder = new Argon2iPasswordEncoder(4, 4, 1);`
	`34`	`+ $result = $encoder->encodePassword(self::PASSWORD, null);`
	`35`	`+ $this->assertTrue($encoder->isPasswordValid($result, self::PASSWORD, null));`
	`36`	`+ $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));`
	`37`	`+ }`
	`38`	`+`
`31`	`39`	`public function testValidation()`
`32`	`40`	`{`
`33`	`41`	`$encoder = new Argon2iPasswordEncoder();`