From d973bc7a7500f0261aabd541021464c972e3a2da Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Mon, 20 Jan 2020 18:11:00 +0100 Subject: [PATCH 1/4] expose Argon2 options (as we did for bcrypt) Signed-off-by: Arthur Schiwon --- config/config.sample.php | 25 +++++++++++++++++++++++++ lib/private/Security/Hasher.php | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/config/config.sample.php b/config/config.sample.php index e6ef5d9079..45d78ca912 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -1421,6 +1421,31 @@ $CONFIG = array( */ 'tempdirectory' => '/tmp/nextcloudtemp', +/** + * Hashing + * + * Nextcloud uses the Argon2 algorithm (with PHP >= 7.2) to create hashes by its + * own and exposes its configuration options as following. More information can + * be found at: https://www.php.net/manual/en/function.password-hash.php + */ + +/** + * The allowed maximum memory to be used by the algorithm for computing a hash. + */ +'hashingMemoryCost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST, + +/** + * The allowed maximum time that can be used by the algorithm for computing a + * hash. + */ +'hashingTimeCost' => PASSWORD_ARGON2_DEFAULT_TIME_COST, + +/** + * The allowed number of CPU threads that can be used by the algorithm for + * computing a hash. + */ +'hashingThreads' => PASSWORD_ARGON2_DEFAULT_THREADS, + /** * The hashing cost used by hashes generated by Nextcloud * Using a higher value requires more time and CPU power to calculate the hashes diff --git a/lib/private/Security/Hasher.php b/lib/private/Security/Hasher.php index e20de729f4..b1a3216ec7 100644 --- a/lib/private/Security/Hasher.php +++ b/lib/private/Security/Hasher.php @@ -61,6 +61,12 @@ class Hasher implements IHasher { public function __construct(IConfig $config) { $this->config = $config; + $this->options = [ + 'memory_cost' => (int)$this->config->getSystemValue('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST), + 'time_cost' => (int)$this->config->getSystemValue('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST), + 'threads' => (int)$this->config->getSystemValue('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS), + ]; + $hashingCost = $this->config->getSystemValue('hashingCost', null); if(!\is_null($hashingCost)) { $this->options['cost'] = $hashingCost; From 7d1d76b2c93cd5d28f9ab27c822648247713145e Mon Sep 17 00:00:00 2001 From: blizzz Date: Tue, 21 Jan 2020 09:03:58 +0100 Subject: [PATCH 2/4] use getSystemValueInt Co-Authored-By: kesselb Signed-off-by: Arthur Schiwon --- lib/private/Security/Hasher.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/private/Security/Hasher.php b/lib/private/Security/Hasher.php index b1a3216ec7..696fd67136 100644 --- a/lib/private/Security/Hasher.php +++ b/lib/private/Security/Hasher.php @@ -62,9 +62,9 @@ class Hasher implements IHasher { $this->config = $config; $this->options = [ - 'memory_cost' => (int)$this->config->getSystemValue('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST), - 'time_cost' => (int)$this->config->getSystemValue('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST), - 'threads' => (int)$this->config->getSystemValue('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS), + 'memory_cost' => $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST), + 'time_cost' => $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST), + 'threads' => $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS), ]; $hashingCost = $this->config->getSystemValue('hashingCost', null); From fb7c218ea64d092151271916f9d7906cc3026bc0 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Tue, 21 Jan 2020 11:58:13 +0100 Subject: [PATCH 3/4] ignore values that undershoot the minimum, go with default Signed-off-by: Arthur Schiwon --- lib/private/Security/Hasher.php | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/lib/private/Security/Hasher.php b/lib/private/Security/Hasher.php index 696fd67136..a65ecabb62 100644 --- a/lib/private/Security/Hasher.php +++ b/lib/private/Security/Hasher.php @@ -61,11 +61,19 @@ class Hasher implements IHasher { public function __construct(IConfig $config) { $this->config = $config; - $this->options = [ - 'memory_cost' => $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST), - 'time_cost' => $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST), - 'threads' => $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS), - ]; + if (\defined('PASSWORD_ARGON2I')) { + // password_hash fails, when the minimum values are undershot. + // In this case, ignore and revert to default + if ($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 8) { + $this->options['memory_cost'] = $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST); + } + if ($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) { + $this->options['time_cost'] = $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST); + } + if ($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) { + $this->options['threads'] = $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS); + } + } $hashingCost = $this->config->getSystemValue('hashingCost', null); if(!\is_null($hashingCost)) { From 518789aa7377acba21c3e8da974e120f24cfc895 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 22 Jan 2020 17:45:27 +0100 Subject: [PATCH 4/4] extended documentation Signed-off-by: Arthur Schiwon --- config/config.sample.php | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/config/config.sample.php b/config/config.sample.php index 45d78ca912..c840bdd116 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -1424,27 +1424,34 @@ $CONFIG = array( /** * Hashing * - * Nextcloud uses the Argon2 algorithm (with PHP >= 7.2) to create hashes by its - * own and exposes its configuration options as following. More information can - * be found at: https://www.php.net/manual/en/function.password-hash.php + * Nextcloud uses the Argon2 algorithm (available with PHP >= 7.2 if compiled + * with it) to create hashes by its own and exposes its configuration options as + * following. The default depends on the PHP build. More information can be + * found at: https://www.php.net/manual/en/function.password-hash.php */ /** - * The allowed maximum memory to be used by the algorithm for computing a hash. + * The allowed maximum memory in KiB to be used by the algorithm for computing a + * hash. The smallest possible value is 8. Values that undershoot the minimum + * will be ignored in favor of the default. */ -'hashingMemoryCost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST, +'hashingMemoryCost' => 65536, /** - * The allowed maximum time that can be used by the algorithm for computing a - * hash. + * The allowed maximum time in seconds that can be used by the algorithm for + * computing a hash. The value must be an integer, and the minimum value is 1. + * Values that undershoot the minimum will be ignored in favor of the default. */ -'hashingTimeCost' => PASSWORD_ARGON2_DEFAULT_TIME_COST, +'hashingTimeCost' => 4, /** * The allowed number of CPU threads that can be used by the algorithm for - * computing a hash. + * computing a hash. The value must be an integer, and the minimum value is 1. + * Rationally it does not help to provide a number higher than the available + * threads on the machine. Values that undershoot the minimum will be ignored + * in favor of the default. */ -'hashingThreads' => PASSWORD_ARGON2_DEFAULT_THREADS, +'hashingThreads' => 1, /** * The hashing cost used by hashes generated by Nextcloud