Commit: 232da90388de2a3ba4ad430d281469498e88aca2 Author: Anthony Ferrara <ircmax...@ircmaxell.com> Tue, 26 Jun 2012 21:15:56 -0400 Parents: 2d4b7cb653efc3f52ca907f48b1c828632df5e41 Branches: master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=232da90388de2a3ba4ad430d281469498e88aca2 Log: Implement php.ini setting password.bcrypt_cost Changed paths: M ext/standard/basic_functions.c M ext/standard/password.c M ext/standard/php_password.h M main/main.c M php.ini-development M php.ini-production Diff: diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index 9e35a5e..5dc86ab 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -3846,6 +3846,7 @@ PHP_MINFO_FUNCTION(basic) /* {{{ */ php_info_print_table_start(); BASIC_MINFO_SUBMODULE(dl) BASIC_MINFO_SUBMODULE(mail) + BASIC_MINFO_SUBMODULE(password) php_info_print_table_end(); BASIC_MINFO_SUBMODULE(assert) } diff --git a/ext/standard/password.c b/ext/standard/password.c index f049fbc..94aa4dc 100644 --- a/ext/standard/password.c +++ b/ext/standard/password.c @@ -43,6 +43,11 @@ PHP_MINIT_FUNCTION(password) /* {{{ */ } /* }}} */ +PHP_MINFO_FUNCTION(password) /* {{{ */ +{ + php_info_print_table_row(2, "Default Password BCrypt Cost", INI_STR("password.bcrypt_cost")); +} +/* }}} */ static int php_password_salt_is_alphabet(const char *str, const int len) { @@ -169,7 +174,11 @@ PHP_FUNCTION(password_verify) zval_ptr_dtor(&ret); RETURN_FALSE; } - + + /* We're using this method instead of == in order to provide + * resistence towards timing attacks. This is a constant time + * equality check that will always check every byte of both + * values. */ for (i = 0; i < Z_STRLEN_P(ret); i++) { status |= (Z_STRVAL_P(ret)[i] ^ Z_STRVAL_P(hash)[i]); } @@ -231,16 +240,20 @@ PHP_FUNCTION(password_hash) } if (strcmp(algo, PHP_PASSWORD_BCRYPT) == 0) { - int cost = PHP_PASSWORD_BCRYPT_DEFAULT_COST; + int cost = 0; + cost = (int) INI_INT("password.bcrypt_cost"); + if (options && zend_symtable_find(options, "cost", 5, (void **) &option_buffer) == SUCCESS) { convert_to_long_ex(option_buffer); cost = Z_LVAL_PP(option_buffer); zval_ptr_dtor(option_buffer); - if (cost < 4 || cost > 31) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid bcrypt cost parameter specified: %d", cost); - RETURN_FALSE; - } } + + if (cost < 4 || cost > 31) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid bcrypt cost parameter specified: %d", cost); + RETURN_FALSE; + } + required_salt_len = 22; hash_format = emalloc(8); sprintf(hash_format, "$2y$%02d$", cost); diff --git a/ext/standard/php_password.h b/ext/standard/php_password.h index 830d31c..81fe41f 100644 --- a/ext/standard/php_password.h +++ b/ext/standard/php_password.h @@ -26,13 +26,11 @@ PHP_FUNCTION(password_verify); PHP_FUNCTION(password_make_salt); PHP_MINIT_FUNCTION(password); +PHP_MINFO_FUNCTION(password); #define PHP_PASSWORD_DEFAULT "2y" #define PHP_PASSWORD_BCRYPT "2y" -#define PHP_PASSWORD_BCRYPT_DEFAULT_COST 12; - - #endif diff --git a/main/main.c b/main/main.c index cc04b13..e52c32c 100644 --- a/main/main.c +++ b/main/main.c @@ -540,6 +540,8 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("error_append_string", NULL, PHP_INI_ALL, OnUpdateString, error_append_string, php_core_globals, core_globals) STD_PHP_INI_ENTRY("error_prepend_string", NULL, PHP_INI_ALL, OnUpdateString, error_prepend_string, php_core_globals, core_globals) + PHP_INI_ENTRY("password.bcrypt_cost", "11", PHP_INI_ALL, NULL) + PHP_INI_ENTRY("SMTP", "localhost",PHP_INI_ALL, NULL) PHP_INI_ENTRY("smtp_port", "25", PHP_INI_ALL, NULL) STD_PHP_INI_BOOLEAN("mail.add_x_header", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool, mail_x_header, php_core_globals, core_globals) diff --git a/php.ini-development b/php.ini-development index a5a7a4a..5f1205e 100644 --- a/php.ini-development +++ b/php.ini-development @@ -1359,6 +1359,15 @@ bcmath.scale = 0 ; http://php.net/browscap ;browscap = extra/browscap.ini +[password] +; The default cost of a bcrypt hash created using password_hash() +; Note that this is only the default, and can be overriden by the +; options argument to password_hash(). Additionally, it only affects +; newly created hashes. A higher value will make the generated +; hash more resistent to brute forcing, but will also use more CPU +; Default: 11 +; password.bcrypt_cost = 11 + [Session] ; Handler used to store/retrieve data. ; http://php.net/session.save-handler diff --git a/php.ini-production b/php.ini-production index 5d8f26e..927f305 100644 --- a/php.ini-production +++ b/php.ini-production @@ -1359,6 +1359,15 @@ bcmath.scale = 0 ; http://php.net/browscap ;browscap = extra/browscap.ini +[password] +; The default cost of a bcrypt hash created using password_hash() +; Note that this is only the default, and can be overriden by the +; options argument to password_hash(). Additionally, it only affects +; newly created hashes. A higher value will make the generated +; hash more resistent to brute forcing, but will also use more CPU +; Default: 11 +; password.bcrypt_cost = 11 + [Session] ; Handler used to store/retrieve data. ; http://php.net/session.save-handler -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
