charlesportwoodii / php-argon2-ext Goto Github PK

I read the documentation and it said to run a make bench test. I did that and it spit out a binary file. How am I supposed to determine the appropriate settings from that file?

https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-3.1

Argon 2 Provides the user with the ability to add a "secret value" or "key" to the hash, in addition to the already existing salt.

This can perfectly serve as a pepper for further securing the password against leaks (attacker gains access to database, SQL injection, whatever)

Salt should be compatible with php_password_make_salt without copy/paste from password.c + License exposure since php_password.h doesn't expose php_password_make_salt.

One thing that would totally be awesome would be having a side-function that just takes the parameters including a salt and outputs a key which then can be used for example to encrypt stuff.

especially as the description notes it as a sucessor to PBKDF, which obviously is a KDF.

My Environment

BananaPi /w Bananian 16.04 r01 (kernel: 3.4.111-bananian)
PHP 5.6.30-0+deb8u1 (cli)

Expected Behavior

finishing "make" command after "./configure --with-argon2" without errors

Actual Behavior

getting error message:
/bin/bash /php-argon2-ext/libtool --mode=compile cc -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -I. -I/php-argon2-ext -DPHP_ATOM_INC -I~/php-argon2-ext/include -I~/php-argon2-ext/main -I~/php-argon2-ext -I/usr/include/php5 -I/usr/include/php5/main -I/usr/include/php5/TSRM -I/usr/include/php5/Zend -I/usr/include/php5/ext -I/usr/include/php5/ext/date/lib -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I~/php-argon2-ext/ext/argon2/include -I~/php-argon2-ext/ext/argon2 -DHAVE_CONFIG_H -g -O2 -c /php-argon2-ext/argon2.c -o argon2.lo
libtool: compile: cc -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -I. -I/php-argon2-ext -DPHP_ATOM_INC -l~/php-argon2-ext/include -I~/php-argon2-ext/main -I~/php-argon2-ext -I/usr/include/php5 -I/usr/include/php5/main -I/usr/include/php5/TSRM -I/usr/include/php5/Zend -I/usr/include/php5/ext -I/usr/include/php5/ext/date/lib -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I~/php-argon2-ext/ext/argon2/include -I~/php-argon2-ext/ext/argon2 -DHAVE_CONFIG_H -g -O2 -c~/php-argon2-ext/argon2.c -fPIC -DPIC -o .libs/argon2.o
~/php-argon2-ext/argon2.c:10:37: fatal error: ext/standard/php_random.h: No such file or directory
#include "ext/standard/php_random.h"
^
compilation terminated.
Makefile:181: recipe for target 'argon2.lo' failed
make: *** [argon2.lo] Error 1

Reproduction Steps

following your build instructions step-by-step

Output of "make test" in ext/argon2

Building without optimizations
cc -std=c89 -pthread -O3 -Wall -g -Iinclude -Isrc -Wextra -Wno-type-limits src/argon2.c src/core.c src/blake2/blake2b.c src/thread.c src/encoding.c src/ref.c src/test.c -o testcase
Default build
argon2i v=16: OK
argon2d v=16: OK
argon2id v=16: OK
argon2i v=19: OK
argon2d v=19: OK
argon2id v=19: OK
Force OPTTEST=1
argon2i v=16: OK
argon2d v=16: OK
argon2id v=16: OK
argon2i v=19: OK
argon2d v=19: OK
argon2id v=19: OK
./testcase
Test Argon2i version number: 10
Hash test: $v=16 t=2, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=2, m=18, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=2, m=8, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=2, m=8, p=2, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=1, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=4, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=2, m=16, p=1, pass=differentpassword, salt=somesalt: PASS
Hash test: $v=16 t=2, m=16, p=1, pass=password, salt=diffsalt: PASS
Recognise an invalid encoding: PASS
Recognise an invalid encoding: PASS
Recognise an invalid salt in encoding: PASS
Verify with mismatched password: PASS
Decode an error message: PASS

Test Argon2i version number: 13
Hash test: $v=19 t=2, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=2, m=18, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=2, m=8, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=2, m=8, p=2, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=1, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=4, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=2, m=16, p=1, pass=differentpassword, salt=somesalt: PASS
Hash test: $v=19 t=2, m=16, p=1, pass=password, salt=diffsalt: PASS
Recognise an invalid encoding: PASS
Recognise an invalid encoding: PASS
Recognise an invalid salt in encoding: PASS
Verify with mismatched password: PASS
Decode an error message: PASS

Common error state tests
Fail on invalid memory: PASS
Fail on invalid null pointer: PASS
Fail on salt too short: PASS
make test 247.39s user 14.19s system 99% cpu 4:23.55 total

I've already asked on Stackoverflow but figured this might be the right place to ask :)
https://stackoverflow.com/questions/65180567/argon2-php-vs-java-hash-len

Is there a specific reason why we don't have the option of setting a hash length in PHP?

My Environment

macOS
Debian etc
php 7 - 8

Expected Behavior

Being able to set the argon2 hash length.

Actual Behavior

PHP

$options = [
"memory_cost" => 1024,
"time_cost" => 2,
"threads" => 2
];
password_hash('password', PASSWORD_ARGON2I, $options);

There is no option for the hash length for example like in java or python etc:

Java:

argon2.hash_password(
"password",
memory_cost=512,
time_cost=2,
parallelism=2,
hash_len=24
)

Python:

 hash = argon2.hash_password_raw(
        time_cost=16, memory_cost=2**15, parallelism=2, hash_len=32,
        password=b'password', salt=b'some salt', type=argon2.low_level.Type.ID)
    print("Argon2 raw hash:", binascii.hexlify(hash))
    
    argon2Hasher = argon2.PasswordHasher(
        time_cost=16, memory_cost=2**15, parallelism=2, hash_len=32, salt_len=16)
    hash = argon2Hasher.hash("password")

php + python kinda solves it.

Reproduction Steps

Execute the code from above

Further Information:

PHP Password implementation
https://github.com/php/php-src/blob/5b01c4863fe9e4bc2702b2bbf66d292d23001a18/ext/standard/password.c

https://github.com/p-h-c/phc-winner-argon2
The argon2 hash has the option for a hash length, which defaults to 32.

Usage:  ./argon2 [-h] salt [-i|-d|-id] [-t iterations] [-m memory] [-p parallelism] [-l hash length] [-e|-r] [-v (10|13)]
        Password is read from stdin
Parameters:
        salt            The salt to use, at least 8 characters
        -i              Use Argon2i (this is the default)
        -d              Use Argon2d instead of Argon2i
        -id             Use Argon2id instead of Argon2i
        -t N            Sets the number of iterations to N (default = 3)
        -m N            Sets the memory usage of 2^N KiB (default 12)
        -p N            Sets parallelism to N threads (default 1)
        -l N            Sets hash output length to N bytes (default 32)
        -e              Output only encoded hash
        -r              Output only the raw bytes of the hash
        -v (10|13)      Argon2 version (defaults to the most recent version, currently 13)
        -h              Print argon2 usage
        
        So any clue why there is no option for the php implementation?

Please add a function argon2_needs_rehash. Thanks