[BUGFIX] Do not overwrite default thread count for Argon PasswordHashing

There are systems and library combinations that do not allow the usage of more than one thread to generate passwords. To ensure maximum compatibility, the number of threads is reset to its default state. If raising the number makes sense for performance reasons on systems that support it, the setting can still be overwritten by setting `$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordHashing']['options']['threads']`. Resolves: #90612 Releases: master, 9.5 Change-Id: I19e883359737e6882aed40968959eadd8f74f8d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63852 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Benni Mack <benni@typo3.org>
TYPO3 · Mar 22, 2020 · 7f9198f · 7f9198f
1 parent d7e775a
commit 7f9198f
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/typo3/sysext/core/Classes/Crypto/PasswordHashing/Argon2iPasswordHash.php b/typo3/sysext/core/Classes/Crypto/PasswordHashing/Argon2iPasswordHash.php
@@ -37,14 +37,16 @@ class Argon2iPasswordHash implements PasswordHashInterface
      * We raise that significantly by default. At the time of this writing, with the options
      * below, password_verify() needs about 130ms on an I7 6820 on 2 CPU's.
      *
+     * We are not raising the amount of threads used, as that might lead to problems on various
+     * systems - see #90612
+     *
      * Note the default values are set again in 'setOptions' below if needed.
      *
      * @var array
      */
     protected $options = [
         'memory_cost' => 65536,
-        'time_cost' => 16,
-        'threads' => 2
+        'time_cost' => 16
     ];
 
     /**

diff --git a/typo3/sysext/core/Tests/Unit/Authentication/AuthenticationServiceTest.php b/typo3/sysext/core/Tests/Unit/Authentication/AuthenticationServiceTest.php
@@ -196,7 +196,7 @@ public function authUserReturns200IfPasswordMatch(): void
         );
         $dbUser = [
             // an argon2i hash of 'myPassword'
-            'password' => '$argon2i$v=19$m=65536,t=16,p=2$LnUzc3ZISWJwQWlSbmpkYw$qD1sRsJFzkUmjcEaKzDeg6LtflwdTpo49VbH3tMeMXU',
+            'password' => '$argon2i$v=19$m=65536,t=16,p=1$eGpyelFZbkpRdXN3QVhsUA$rd4abz2fcuksGu3b3fipglQZtHbIy+M3XoIS+sNVSl4',
             'lockToDomain' => ''
         ];
         $this->assertSame(200, $subject->authUser($dbUser));