charlesportwoodii / php-argon2-ext Goto Github PK

33.0 5.0 4.0 38 KB

PHP7 extension for Argon2

License: Other

C 45.30% M4 5.56% PHP 47.53% JavaScript 1.62%

php php7-extension argon hash argon2-library

php-argon2-ext's Introduction

PHP Argon2 Extension

This PHP7 extension provides a simplified interface to the Argon2 algorithm, the winner of the Password Hashing Competition. Argon2 is considered the successor to bcrypt/scrypt/pbkdf methods of securely hasing passwords. This project is in no way associated with or endorsed by the PHC team.

Note this is extension is only compatible with PHP7+. Support for lower versions of PHP will not be considered.

Building

# Clone the extension and the Argon2 Submodule
git clone --recursive https://github.com/charlesportwoodii/php-argon2-ext
cd php-argon2-ext

# Build the Argon2 library
cd ext/argon2
CFLAGS="-fPIC" make -j1 OPTTARGET=i686
make test

# Remove the argon2 shared library to force Argon2 to be compiled statically into the extension
rm libargon2.so
cd ../..

# Build the extension
phpize
./configure --with-argon2
make

Installation

Once you have compiled the extension, you can install it via make install, adding the extension to your php.ini file or to a file in your loaded extensions directory,

$ make install
# Load the extension to your php.ini/php conf.d
# echo "extension=argon2.so" > /path/to/php.ini

Testing

Extension is tested through make test. You are strongly encouraged to run the tests to make sure everything was built correctly. A summary of the tests will be outlined

$ make test

If make test encounters an error, please provide a copy of the error report as a Github issue.

Usage

Constants

The following constants are exposed for determining which Argon2 algorithm you wish to use:

HASH_ARGON2ID
HASH_ARGON2I
HASH_ARGON2D

The constant HASH_ARGON2ID can also be aliased by HASH_ARGON2.

These constants are named to avoid conflicts with php/php-src#1997, which would implement Argon2 in PHP Core.

Hash Generation

argon2_hash(string $string [, const $algorithm = HASH_ARGON2ID] [, array $options ] [, bool $raw = false ]);

Hashes can be generated by running argon2_hash() with the string you want to see hashed. Without any additional arguements, the hash generated will have the following options. These defaults are based upon the Argon2 specification as good minimums. You are encouraged to run make bench against the ext/argon2 to determine what are good defaults for your system.

algorithm = HASH_ARGON2ID
options = [
    m_cost: 1<<16
    t_cost: 3
    threads: 1
]

This function follows the same design principles of password_hash(), in that a salt will be generated on your behalf. This method does not provide you with a way to provide your own salt. The salt generated uses the native PHP function php_password_make_salt, which is the same method used to generate salts for password_hash().

The $algorithm can be changed by passing in either HASH_ARGON2ID, HASH_ARGON2I or HASH_ARGON2D. If the algorithm is invalid, an InvalidArguementException will be raised.

This library allows you to specify an array of options to tune Argon2 to your system. The available options for the $options array, and their defaults are defined above. Argon2 has several tolerances in place for each of these values. If the value falls outside those tolerances, and InvalidArguementException will be raised.

In the event an error occurs with the argon2 library, or a salt cannot be securely generated, an E_WARNING will be raised, and this will return false.

If no errors occur, an argon2 encoded hash string will be returned.

This function operates against version 1.3 of the Argon2 library and above.

Example Hash

$argon2i$v=19$m=65536,t=3,p=1$aUEvQlU2NTRwcHhVS0hqMg$+5h0P5YlWCJDKyZknJ0sAyqQtZjhuP1Bkw/E2It4IcE

If $raw is set to true, then this function will return binary output instead. This is useful for Key Derivation Functions (KDF).

Validating Hashes

argon2_verify(string $string, string $hash);

Hashes can be verified by running argon2_verify() with the string string and string hash generated by argon2_hash. This function will return either true or false depending upon if the hash is valid or not. If the hash provided isn't a valid argon2 hash, false will be returned, an an E_WARNING will be raised.

Retrieving Hash Information

argon2_get_info(string $hash);

To retrieve information about an existing Argon2 hash, run argon2_get_info(). This function will return an array containing the algorithm name, and the options used for hash generation.

array(2) {
  ["algorithm"]=>
  string(7) "argon2i"
  ["options"]=>
  array(3) {
    ["m_cost"]=>
    int(65536)
    ["t_cost"]=>
    int(3)
    ["threads"]=>
    int(1)
  }
}

License

BSD-3-Clause. See LICENSE for more details.

PHP functions php_password_make_salt and salt_to_base64 are licensed under the PHP License. See http://www.php.net/license/3_01.txt.

This product includes PHP software, freely available from http://www.php.net/software/

php-argon2-ext's People

Contributors

Stargazers

Watchers

Forkers

dvaun estella presleyhank yaovicoder

php-argon2-ext's Issues

Feature request: function argon2_needs_rehash

Please add a function argon2_needs_rehash. Thanks

Feature Request: functions to use as KDF

One thing that would totally be awesome would be having a side-function that just takes the parameters including a salt and outputs a key which then can be used for example to encrypt stuff.

especially as the description notes it as a sucessor to PBKDF, which obviously is a KDF.

Re-implement salt generation

Salt should be compatible with php_password_make_salt without copy/paste from password.c + License exposure since php_password.h doesn't expose php_password_make_salt.

Question: Argon2 Hash Length missing, why?

I've already asked on Stackoverflow but figured this might be the right place to ask :)
https://stackoverflow.com/questions/65180567/argon2-php-vs-java-hash-len

Is there a specific reason why we don't have the option of setting a hash length in PHP?

My Environment

macOS
Debian etc
php 7 - 8

Expected Behavior

Being able to set the argon2 hash length.

Actual Behavior

PHP

$options = [
"memory_cost" => 1024,
"time_cost" => 2,
"threads" => 2
];
password_hash('password', PASSWORD_ARGON2I, $options);

There is no option for the hash length for example like in java or python etc:

Java:

argon2.hash_password(
"password",
memory_cost=512,
time_cost=2,
parallelism=2,
hash_len=24
)

Python:

 hash = argon2.hash_password_raw(
        time_cost=16, memory_cost=2**15, parallelism=2, hash_len=32,
        password=b'password', salt=b'some salt', type=argon2.low_level.Type.ID)
    print("Argon2 raw hash:", binascii.hexlify(hash))
    
    argon2Hasher = argon2.PasswordHasher(
        time_cost=16, memory_cost=2**15, parallelism=2, hash_len=32, salt_len=16)
    hash = argon2Hasher.hash("password")

php + python kinda solves it.

Reproduction Steps

Execute the code from above

Further Information:

PHP Password implementation
https://github.com/php/php-src/blob/5b01c4863fe9e4bc2702b2bbf66d292d23001a18/ext/standard/password.c

https://github.com/p-h-c/phc-winner-argon2
The argon2 hash has the option for a hash length, which defaults to 32.

Usage:  ./argon2 [-h] salt [-i|-d|-id] [-t iterations] [-m memory] [-p parallelism] [-l hash length] [-e|-r] [-v (10|13)]
        Password is read from stdin
Parameters:
        salt            The salt to use, at least 8 characters
        -i              Use Argon2i (this is the default)
        -d              Use Argon2d instead of Argon2i
        -id             Use Argon2id instead of Argon2i
        -t N            Sets the number of iterations to N (default = 3)
        -m N            Sets the memory usage of 2^N KiB (default 12)
        -p N            Sets parallelism to N threads (default 1)
        -l N            Sets hash output length to N bytes (default 32)
        -e              Output only encoded hash
        -r              Output only the raw bytes of the hash
        -v (10|13)      Argon2 version (defaults to the most recent version, currently 13)
        -h              Print argon2 usage
        
        So any clue why there is no option for the php implementation?

Feature request: Add secret/key

https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-3.1

Argon 2 Provides the user with the ability to add a "secret value" or "key" to the hash, in addition to the already existing salt.

This can perfectly serve as a pepper for further securing the password against leaks (attacker gains access to database, SQL injection, whatever)

How to use make bench

I read the documentation and it said to run a make bench test. I did that and it spit out a binary file. How am I supposed to determine the appropriate settings from that file?

/argon2.c:10:37: fatal error: ext/standard/php_random.h: No such file or directory

My Environment

BananaPi /w Bananian 16.04 r01 (kernel: 3.4.111-bananian)
PHP 5.6.30-0+deb8u1 (cli)

Expected Behavior

finishing "make" command after "./configure --with-argon2" without errors

Actual Behavior

getting error message:
/bin/bash ~~/php-argon2-ext/libtool --mode=compile cc -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -I. -I~~/php-argon2-ext -DPHP_ATOM_INC -I~/php-argon2-ext/include -I~/php-argon2-ext/main -I~/php-argon2-ext -I/usr/include/php5 -I/usr/include/php5/main -I/usr/include/php5/TSRM -I/usr/include/php5/Zend -I/usr/include/php5/ext -I/usr/include/php5/ext/date/lib -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I~/php-argon2-ext/ext/argon2/include -I~/php-argon2-ext/ext/argon2 -DHAVE_CONFIG_H -g -O2 -c /php-argon2-ext/argon2.c -o argon2.lo
libtool: compile: cc -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -I. -I/php-argon2-ext -DPHP_ATOM_INC -l~/php-argon2-ext/include -I~/php-argon2-ext/main -I~/php-argon2-ext -I/usr/include/php5 -I/usr/include/php5/main -I/usr/include/php5/TSRM -I/usr/include/php5/Zend -I/usr/include/php5/ext -I/usr/include/php5/ext/date/lib -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I~/php-argon2-ext/ext/argon2/include -I~/php-argon2-ext/ext/argon2 -DHAVE_CONFIG_H -g -O2 -c~/php-argon2-ext/argon2.c -fPIC -DPIC -o .libs/argon2.o
~/php-argon2-ext/argon2.c:10:37: fatal error: ext/standard/php_random.h: No such file or directory
#include "ext/standard/php_random.h"
^
compilation terminated.
Makefile:181: recipe for target 'argon2.lo' failed
make: *** [argon2.lo] Error 1

Reproduction Steps

following your build instructions step-by-step

Output of "make test" in ext/argon2

Building without optimizations
cc -std=c89 -pthread -O3 -Wall -g -Iinclude -Isrc -Wextra -Wno-type-limits src/argon2.c src/core.c src/blake2/blake2b.c src/thread.c src/encoding.c src/ref.c src/test.c -o testcase
Default build
argon2i v=16: OK
argon2d v=16: OK
argon2id v=16: OK
argon2i v=19: OK
argon2d v=19: OK
argon2id v=19: OK
Force OPTTEST=1
argon2i v=16: OK
argon2d v=16: OK
argon2id v=16: OK
argon2i v=19: OK
argon2d v=19: OK
argon2id v=19: OK
./testcase
Test Argon2i version number: 10
Hash test: $v=16 t=2, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=2, m=18, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=2, m=8, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=2, m=8, p=2, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=1, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=4, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=16 t=2, m=16, p=1, pass=differentpassword, salt=somesalt: PASS
Hash test: $v=16 t=2, m=16, p=1, pass=password, salt=diffsalt: PASS
Recognise an invalid encoding: PASS
Recognise an invalid encoding: PASS
Recognise an invalid salt in encoding: PASS
Verify with mismatched password: PASS
Decode an error message: PASS

Test Argon2i version number: 13
Hash test: $v=19 t=2, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=2, m=18, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=2, m=8, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=2, m=8, p=2, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=1, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=4, m=16, p=1, pass=password, salt=somesalt: PASS
Hash test: $v=19 t=2, m=16, p=1, pass=differentpassword, salt=somesalt: PASS
Hash test: $v=19 t=2, m=16, p=1, pass=password, salt=diffsalt: PASS
Recognise an invalid encoding: PASS
Recognise an invalid encoding: PASS
Recognise an invalid salt in encoding: PASS
Verify with mismatched password: PASS
Decode an error message: PASS

Common error state tests
Fail on invalid memory: PASS
Fail on invalid null pointer: PASS
Fail on salt too short: PASS
make test 247.39s user 14.19s system 99% cpu 4:23.55 total

charlesportwoodii / php-argon2-ext Goto Github PK

php-argon2-ext's Introduction

PHP Argon2 Extension

Building

Installation

Testing

Usage

Constants

Hash Generation

Example Hash

Validating Hashes

Retrieving Hash Information

License

php-argon2-ext's People

Contributors

Stargazers

Watchers

Forkers

php-argon2-ext's Issues

My Environment

Expected Behavior

Actual Behavior

PHP

Java:

Python:

Reproduction Steps

Further Information:

My Environment

Expected Behavior

Actual Behavior

Reproduction Steps

Output of "make test" in ext/argon2

Recommend Projects

Recommend Topics

Recommend Org