This project is a prototype in order to materialize concepts described in the following OWASP cheatsheet, in Leverage an adaptive one-way function section in PHP technology:
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Leverage_an_adaptive_one-way_function
The objective is to propose a example of secure usage/integration of the Argon2 algorithm in PHP application to protect password when stored by using:
- The PHC reference implementation of Argon2.
- The support for Argon2 from PHP 7.2.
It's the sibling project of this project : https://github.com/righettod/poc-argon2
Argon2 options used are defined here.
The TravisCI integration file .travis.yml show an example of integration of PHP setup with the Argon2 library and execution of unit tests to validate the setup.
Focus on non-installing binaries from untrusted sources (non official linux repositories - PHC Github repo for Argon2 is considered as trusted because sources are provided and a security code review can be applied)
I have used Ubuntu 14 in order to test proposed configuration strenght capacities on TravisCI cloud environments.
The 3rd party linux repo ondrej/php provide pre-compiled packages for Argon2 and PHP 7.2 but I have decided to not trust it because is not an official repository.
Apparently even on Ubuntu 16, PHP 7.0 is the provided version so manual install is required or using ondrej/php repository
sudo apt-get install gcc clang libxml2-dev unzip wget curl make openssl libssl-dev
Step 1: Install Argon2 from PHC release on Github repository and PHP 7.2 from sources with Argon2 option enabled
The following PHP compilation options are needed by Composer and PHPUnit and not for Argon2:
--with-openssl--enable-mbstring--enable-dom--enable-json--enable-xml--enable-libxml
See this complete setup shell script.
composer install
/usr/local/bin/php vendor/phpunit/phpunit/phpunit password_util_testcase.php --colors=always --testdox