[BUGFIX] Do not overwrite default thread count for Argon PasswordHashing

There are systems and library combinations that do not allow the usage of more than one thread to generate passwords. To ensure maximum compatibility, the number of threads is reset to its default state. If raising the number makes sense for performance reasons on systems that support it, the setting can still be overwritten by setting `$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordHashing']['options']['threads']`. Resolves: #90612 Releases: master, 9.5 Change-Id: I19e883359737e6882aed40968959eadd8f74f8d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63605 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by: Benni Mack <benni@typo3.org> Reviewed-by: Alexander...

[BUGFIX] Do not overwrite default thread count for Argon PasswordHashing
There are systems and library combinations that do not allow the usage of more than one thread to generate passwords. To ensure maximum compatibility, the number of threads is reset to its default state. If raising the number makes sense for performance reasons on systems that support it, the setting can still be overwritten by setting `$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordHashing']['options']['threads']`. Resolves: #90612 Releases: master, 9.5 Change-Id: I19e883359737e6882aed40968959eadd8f74f8d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63605 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by: Benni Mack <benni@typo3.org> Reviewed-by: Alexander...
fe2e5cff · Susanne Moog · Benni Mack · d0baea11 · fe2e5cff · fe2e5cff
Commit fe2e5cff authored 5 years ago by Susanne Moog Committed by Benni Mack 5 years ago
--- a/typo3/sysext/core/Classes/Crypto/PasswordHashing/AbstractArgon2PasswordHash.php
+++ b/typo3/sysext/core/Classes/Crypto/PasswordHashing/AbstractArgon2PasswordHash.php
@@ -25,12 +25,14 @@ abstract class AbstractArgon2PasswordHash implements PasswordHashInterface, Argo
     * We raise that significantly by default. At the time of this writing, with the options
     * below, password_verify() needs about 130ms on an I7 6820 on 2 CPU's (argon2i).
     *
+     * We are not raising the amount of threads used, as that might lead to problems on various
+     * systems - see #90612
+     *
     * @var array
     */
    protected $options = [
        'memory_cost' => 65536,
        'time_cost' => 16,
-        'threads' => 2
    ];

    /**

--- a/typo3/sysext/core/Tests/Unit/Authentication/AuthenticationServiceTest.php
+++ b/typo3/sysext/core/Tests/Unit/Authentication/AuthenticationServiceTest.php
@@ -193,7 +193,7 @@ class AuthenticationServiceTest extends UnitTestCase
        );
        $dbUser = [
            // an argon2i hash of 'myPassword'
-            'password' => '$argon2i$v=19$m=65536,t=16,p=2$LnUzc3ZISWJwQWlSbmpkYw$qD1sRsJFzkUmjcEaKzDeg6LtflwdTpo49VbH3tMeMXU',
+            'password' => '$argon2i$v=19$m=65536,t=16,p=1$eGpyelFZbkpRdXN3QVhsUA$rd4abz2fcuksGu3b3fipglQZtHbIy+M3XoIS+sNVSl4',
            'lockToDomain' => ''
        ];
        self::assertSame(200, $subject->authUser($dbUser));