php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78269 password_hash uses weak options for argon2
Submitted: 2019-07-10 09:15 UTC Modified: 2019-07-10 16:15 UTC
From: remi@php.net Assigned:
Status: Closed Package: *Encryption and hash functions
PHP Version: 7.2.20 OS: irrevelant
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: remi@php.net
New email:
PHP Version: OS:

 

 [2019-07-10 09:15 UTC] remi@php.net
Description:
------------
Current value

memory cost = 1 << 10
time cost = 2


From libsodium recommendation for interactive mode

argon2i

memory cost = 32 << 10
time cost = 4

argon2id

memory cost = 64 << 10
time cost = 2




Patches

php73.patch (last revision 2019-07-10 09:16 UTC by remi@php.net)
php72.patch (last revision 2019-07-10 09:16 UTC by remi@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-10 09:16 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: php72.patch
Revision:   1562750164
URL:        https://bugs.php.net/patch-display.php?bug=78269&patch=php72.patch&revision=1562750164
 [2019-07-10 09:16 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: php73.patch
Revision:   1562750176
URL:        https://bugs.php.net/patch-display.php?bug=78269&patch=php73.patch&revision=1562750176
 [2019-07-10 09:18 UTC] remi@php.net
Patch proposal already applied in  7.4
 [2019-07-10 09:46 UTC] cmb@php.net
It seems to me that the memory cost is measured in kibibytes for
libargon, but bytes for libsodium.  There may be further
differences between the two libraries.
 [2019-07-10 16:15 UTC] stas@php.net
I do not see any reason to hide it, IMO can be applied immediately.
 [2019-07-15 12:12 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eab0079c902a9a52773c6bb63b57555dee45b3ab
Log: Fix #78269 password_hash uses weak options for argon2
 [2019-07-15 12:12 UTC] remi@php.net
-Status: Open +Status: Closed
 [2019-07-15 12:12 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a7ff3a648336c33cfd8c7b63199bc7b0e49fbdea
Log: Fix #78269 password_hash uses weak options for argon2
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 13:01:29 2024 UTC