Skip to content

Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2 #13635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Sep 2, 2024
Merged

Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2 #13635

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
3c04dfc
Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2
remicollet Mar 8, 2024
7893c82
simplify init/shutdown
remicollet Mar 12, 2024
2ac0b04
use php_base64_encode_ex
remicollet Mar 26, 2024
0460a1e
- rename macros - use openssl RAND_bytes - CS
remicollet Apr 2, 2024
668b3f0
add --with-openssl-argon2 build option
remicollet Jul 19, 2024
3b67b4e
check OSSL_KDF_PARAM_ARGON2_LANES instead of OSSL_set_max_threads
remicollet Aug 19, 2024
ddcc40f
Cleanup and CS
remicollet Aug 19, 2024
74880be
save/restore old threads config + CS
remicollet Aug 25, 2024
0dd9cc7
remove unneeded check
remicollet Sep 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion ext/openssl/config0.m4
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,15 @@ PHP_ARG_WITH([openssl-legacy-provider],
[no],
[no])

PHP_ARG_WITH([openssl-argon2],
[whether to enable argon2 password hashing (requires OpenSSL >= 3.2)],
[AS_HELP_STRING([--with-openssl-argon2],
[OPENSSL: Enable argon2 password hashing])],
[no],
[no])

if test "$PHP_OPENSSL" != "no"; then
PHP_NEW_EXTENSION([openssl], [openssl.c xp_ssl.c], [$ext_shared])
PHP_NEW_EXTENSION([openssl], [openssl.c openssl_pwhash.c xp_ssl.c], [$ext_shared])
PHP_SUBST([OPENSSL_SHARED_LIBADD])
PHP_SETUP_OPENSSL([OPENSSL_SHARED_LIBADD],
[AC_DEFINE([HAVE_OPENSSL_EXT], [1],
Expand All @@ -38,4 +45,14 @@ if test "$PHP_OPENSSL" != "no"; then
[AC_DEFINE([LOAD_OPENSSL_LEGACY_PROVIDER], [1],
[Define to 1 to load the OpenSSL legacy algorithm provider in addition to
the default provider.])])

if test "$PHP_OPENSSL_ARGON2" != "no"; then
if test "$PHP_THREAD_SAFETY" != "no"; then
AC_MSG_ERROR([Not supported in ZTS mode for now])
fi
PHP_CHECK_LIBRARY([crypto], [OSSL_set_max_threads],
[AC_DEFINE([HAVE_OPENSSL_ARGON2], [1], [ Define to 1 to enable argon2 password hashing ])],
[AC_MSG_ERROR([argon2 hashing requires OpenSSL 3.2])],
[$OPENSSL_LIBS])
fi
fi
17 changes: 17 additions & 0 deletions ext/openssl/openssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,9 +270,20 @@ static void php_openssl_pkey_free_obj(zend_object *object)
zend_object_std_dtor(&key_object->std);
}

#if defined(HAVE_OPENSSL_ARGON2)
static const zend_module_dep openssl_deps[] = {
ZEND_MOD_REQUIRED("standard")
ZEND_MOD_END
};
#endif
/* {{{ openssl_module_entry */
zend_module_entry openssl_module_entry = {
#if defined(HAVE_OPENSSL_ARGON2)
STANDARD_MODULE_HEADER_EX, NULL,
openssl_deps,
#else
STANDARD_MODULE_HEADER,
#endif
"openssl",
ext_functions,
PHP_MINIT(openssl),
Expand Down Expand Up @@ -1330,6 +1341,12 @@ PHP_MINIT_FUNCTION(openssl)

REGISTER_INI_ENTRIES();

#if defined(HAVE_OPENSSL_ARGON2)
if (FAILURE == PHP_MINIT(openssl_pwhash)(INIT_FUNC_ARGS_PASSTHRU)) {
return FAILURE;
}
#endif

return SUCCESS;
}
/* }}} */
Expand Down
5 changes: 5 additions & 0 deletions ext/openssl/openssl.stub.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -678,3 +678,8 @@ function openssl_spki_export_challenge(string $spki): string|false {}
* @refcount 1
*/
function openssl_get_cert_locations(): array {}

#if defined(HAVE_OPENSSL_ARGON2)
function openssl_password_hash(string $algo, #[\SensitiveParameter] string $password, array $options = []): string {}
function openssl_password_verify(string $algo, #[\SensitiveParameter] string $password, string $hash): bool {}
#endif
38 changes: 37 additions & 1 deletion ext/openssl/openssl_arginfo.h
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading