Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/tests/phpunit/unit/includes/password/Pbkdf2PasswordTestCase.php
Kevin Israel 47241a3520 Use OpenSSL if available for PBKDF2 password hashing 
This at least doubles the speed, which would allow the number of
iterations to be doubled and computation of the password hash to
complete in the same amount of time as before, or maybe even a
slight bit less.

The doubling in speed is due to an optimization[1] that so far has not
been accepted into PHP's hash extension.[2] In addition, OpenSSL has
optimized assembly-language hash function implementations for several
common CPU architectures. These provide a further, yet more slight,
performance improvement.

While OpenSSL's PKCS5_PBKDF2_HMAC() is not the fastest implementation
around, using it does not add a new library dependency. And although
better password hashing functions exist, PBKDF2 is still the default
in MediaWiki. For these reasons, I think this change makes sense.

[1]: https://github.com/openssl/openssl/commit/c10e3f0cffb3820d
[2]: https://github.com/php/php-src/issues/9604

Change-Id: I7b06590d4c42581f8749336f9c17777f973a506c
2022-10-04 19:46:14 -04:00

74 lines
2 KiB
PHP
Raw Blame History

<?php
abstract class Pbkdf2PasswordTestCase extends PasswordTestCase {
abstract protected static function getPbkdf2PasswordClass();
protected function getTypeConfigs() {
return [ 'pbkdf2' => [
'class' => static::getPbkdf2PasswordClass(),
'algo' => 'sha256',
'cost' => '10000',
'length' => '128',
] ];
}
public static function providePasswordTests() {
return [
[ true, ":pbkdf2:sha512:1:20:c2FsdA==:hn9wzxreAs/zdSWZo6U9xK80x6Y=", 'password' ],
[ true, ":pbkdf2:sha512:2:20:c2FsdA==:4dnBaqaBcIpF9cfE4hXOtm4BGi4=", 'password' ],
[ true, ":pbkdf2:sha512:4096:20:c2FsdA==:0Zexsz2wFD4BixLz0dFHnmzevcw=", 'password' ],
[ true, ":pbkdf2:sha512:4096:16:c2EAbHQ=:nZ6cTNIf5L4k1bgkTHWWZQ==", "pass\x00word" ],
];
}
public function testCryptThrowsOnInvalidAlgo() {
$factory = new PasswordFactory();
$class = static::getPbkdf2PasswordClass();
$password = new $class(
$factory,
[
'type' => 'pbkdf2',
'algo' => 'fail',
'cost' => '10000',
'length' => '128',
]
);
$this->expectException( PasswordError::class );
$this->expectExceptionMessage( 'Unknown or unsupported algo: fail' );
$password->crypt( 'whatever' );
}
public function testCryptThrowsOnInvalidCost() {
$factory = new PasswordFactory();
$class = static::getPbkdf2PasswordClass();
$password = new $class(
$factory,
[
'type' => 'pbkdf2',
'algo' => 'sha256',
'cost' => '0',
'length' => '128',
]
);
$this->expectException( PasswordError::class );
$this->expectExceptionMessage( 'Invalid number of rounds.' );
$password->crypt( 'whatever' );
}
public function testCryptThrowsOnInvalidLength() {
$factory = new PasswordFactory();
$class = static::getPbkdf2PasswordClass();
$password = new $class(
$factory,
[
'type' => 'pbkdf2',
'algo' => 'sha256',
'cost' => '10000',
'length' => '0',
]
);
$this->expectException( PasswordError::class );
$this->expectExceptionMessage( 'Invalid length.' );
$password->crypt( 'whatever' );
}
}
Reference in a new issue View git blame Copy permalink