From fe2e5cff44aa11cfb22f16748381c3263722411f Mon Sep 17 00:00:00 2001
From: Susanne Moog <look@susi.dev>
Date: Sat, 7 Mar 2020 16:28:34 +0100
Subject: [PATCH] [BUGFIX] Do not overwrite default thread count for Argon
 PasswordHashing

There are systems and library combinations that do not allow the usage
of more than one thread to generate passwords. To ensure maximum
compatibility, the number of threads is reset to its default state.

If raising the number makes sense for performance reasons on systems
that support it, the setting can still be overwritten by setting
`$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordHashing']['options']['threads']`.

Resolves: #90612
Releases: master, 9.5
Change-Id: I19e883359737e6882aed40968959eadd8f74f8d1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63605
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Alexander Schnitzler <git@alexanderschnitzler.de>
---
 .../Crypto/PasswordHashing/AbstractArgon2PasswordHash.php     | 4 +++-
 .../Tests/Unit/Authentication/AuthenticationServiceTest.php   | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/core/Classes/Crypto/PasswordHashing/AbstractArgon2PasswordHash.php b/typo3/sysext/core/Classes/Crypto/PasswordHashing/AbstractArgon2PasswordHash.php
index 9475c159c366..36d3cd739a1c 100644
--- a/typo3/sysext/core/Classes/Crypto/PasswordHashing/AbstractArgon2PasswordHash.php
+++ b/typo3/sysext/core/Classes/Crypto/PasswordHashing/AbstractArgon2PasswordHash.php
@@ -25,12 +25,14 @@ abstract class AbstractArgon2PasswordHash implements PasswordHashInterface, Argo
      * We raise that significantly by default. At the time of this writing, with the options
      * below, password_verify() needs about 130ms on an I7 6820 on 2 CPU's (argon2i).
      *
+     * We are not raising the amount of threads used, as that might lead to problems on various
+     * systems - see #90612
+     *
      * @var array
      */
     protected $options = [
         'memory_cost' => 65536,
         'time_cost' => 16,
-        'threads' => 2
     ];
 
     /**
diff --git a/typo3/sysext/core/Tests/Unit/Authentication/AuthenticationServiceTest.php b/typo3/sysext/core/Tests/Unit/Authentication/AuthenticationServiceTest.php
index 7a27c3df798d..1be28fe6e165 100644
--- a/typo3/sysext/core/Tests/Unit/Authentication/AuthenticationServiceTest.php
+++ b/typo3/sysext/core/Tests/Unit/Authentication/AuthenticationServiceTest.php
@@ -193,7 +193,7 @@ class AuthenticationServiceTest extends UnitTestCase
         );
         $dbUser = [
             // an argon2i hash of 'myPassword'
-            'password' => '$argon2i$v=19$m=65536,t=16,p=2$LnUzc3ZISWJwQWlSbmpkYw$qD1sRsJFzkUmjcEaKzDeg6LtflwdTpo49VbH3tMeMXU',
+            'password' => '$argon2i$v=19$m=65536,t=16,p=1$eGpyelFZbkpRdXN3QVhsUA$rd4abz2fcuksGu3b3fipglQZtHbIy+M3XoIS+sNVSl4',
             'lockToDomain' => ''
         ];
         self::assertSame(200, $subject->authUser($dbUser));
-- 
GitLab