Page MenuHomePhabricator

Argon2PasswordTest failing on PHP 7.2.21+ (works upto PHP 7.2.16)
Closed, ResolvedPublic

Description

As of about 24 hours ago, the Travis CI builds for PHP 7.2 and PHP 7.3 are failing.

There was 1 failure:
1) Argon2PasswordTest::testPartialConfig
Options not set for a password should fall back to defaults
Failed asserting that true is false.
/home/travis/build/wikimedia/mediawiki/tests/phpunit/includes/password/Argon2PasswordTest.php:102

Last passing:

First failing:

Given no seemingly related changes to the failure between these commits, and WMF CI still passing, I'm guessing it's due to the implicit PHP upgrade that happened due to the upstream release.

Event Timeline

Krinkle created this task.Aug 14 2019, 2:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 14 2019, 2:41 PM
Krinkle updated the task description. (Show Details)Aug 14 2019, 2:41 PM
Jdforrester-WMF renamed this task from Argon2PasswordTest failing on PHP 7.7.21+ (works upto PHP 7.2.16) to Argon2PasswordTest failing on PHP 7.2.21+ (works upto PHP 7.2.16).Aug 14 2019, 2:45 PM

I see it in https://www.php.net/ChangeLog-7.php#7.3.8

Fixed bug [[ http://bugs.php.net/78269 | #78269 ]] (password_hash uses weak options for argon2).
Anomie added a subscriber: Anomie.Aug 14 2019, 4:38 PM

I see it in https://www.php.net/ChangeLog-7.php#7.3.8

Fixed bug [[ http://bugs.php.net/78269 | #78269 ]] (password_hash uses weak options for argon2).

Seems pretty likely. At Argon2PasswordTest.php lines 30–32 we have

				'memory_cost' => 1024,
				'time_cost' => 2,
				'threads' => 2,

while in the patch related to that upstream change I see

-#define PHP_PASSWORD_ARGON2_MEMORY_COST 1<<10
-#define PHP_PASSWORD_ARGON2_TIME_COST 2
-#define PHP_PASSWORD_ARGON2_THREADS 2
+#define PHP_PASSWORD_ARGON2_MEMORY_COST (64 << 10)
+#define PHP_PASSWORD_ARGON2_TIME_COST 4
+#define PHP_PASSWORD_ARGON2_THREADS 1

It doesn't look like we can directly access those C defines in PHP code, but we may be able to get them indirectly. On my local system,

$ php -r 'var_dump( PHP_VERSION, password_get_info( password_hash( "", PASSWORD_ARGON2I ) ) );'
string(8) "7.2.11-3"
array(3) {
  ["algo"]=>
  int(2)
  ["algoName"]=>
  string(7) "argon2i"
  ["options"]=>
  array(3) {
    ["memory_cost"]=>
    int(1024)
    ["time_cost"]=>
    int(2)
    ["threads"]=>
    int(2)
  }
}

$ php7.3 -r 'var_dump( PHP_VERSION, password_get_info( password_hash( "", PASSWORD_ARGON2I ) ) );'
string(7) "7.3.8-1"
array(3) {
  ["algo"]=>
  int(2)
  ["algoName"]=>
  string(7) "argon2i"
  ["options"]=>
  array(3) {
    ["memory_cost"]=>
    int(65536)
    ["time_cost"]=>
    int(4)
    ["threads"]=>
    int(1)
  }
}

Change 530624 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] Handle changed defaults in Argon2PasswordTest::testPartialConfig()

https://gerrit.wikimedia.org/r/530624

Change 530624 merged by jenkins-bot:
[mediawiki/core@master] Handle changed defaults in Argon2PasswordTest::testPartialConfig()

https://gerrit.wikimedia.org/r/530624

Krinkle closed this task as Resolved.Aug 17 2019, 3:19 PM
Krinkle assigned this task to Anomie.

mmodell changed the subtype of this task from "Task" to "Production Error".Wed, Aug 28, 11:05 PM