Index: openacs-4/packages/acs-kernel/acs-kernel.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-kernel/acs-kernel.info,v
diff -u -r1.150.2.57 -r1.150.2.58
--- openacs-4/packages/acs-kernel/acs-kernel.info 29 Jul 2023 12:33:16 -0000 1.150.2.57
+++ openacs-4/packages/acs-kernel/acs-kernel.info 5 Oct 2023 15:52:33 -0000 1.150.2.58
@@ -86,7 +86,7 @@
-
+
Index: openacs-4/packages/acs-tcl/tcl/00-icanuse-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/00-icanuse-procs.tcl,v
diff -u -r1.1.2.44 -r1.1.2.45
--- openacs-4/packages/acs-tcl/tcl/00-icanuse-procs.tcl 4 Sep 2023 15:25:16 -0000 1.1.2.44
+++ openacs-4/packages/acs-tcl/tcl/00-icanuse-procs.tcl 5 Oct 2023 15:52:32 -0000 1.1.2.45
@@ -105,6 +105,7 @@
::acs::register_icanuse "ns_conn contentsentlength" [acs::cmd_has_subcommand ns_conn contentsentlength]
::acs::register_icanuse "ns_conn partialtimes" [acs::cmd_has_subcommand ns_conn partialtimes]
::acs::register_icanuse "ns_conn pool" [acs::cmd_has_subcommand ns_conn pool]
+::acs::register_icanuse "ns_crypto::argon2" {[info commands ::ns_crypto::argon2] ne ""}
::acs::register_icanuse "ns_crypto::pbkdf2_hmac" {[info commands ::ns_crypto::pbkdf2_hmac] ne ""}
::acs::register_icanuse "ns_crypto::randombytes" {[info commands ::ns_crypto::randombytes] ne ""}
::acs::register_icanuse "ns_crypto::scrypt" {[info commands ::ns_crypto::scrypt] ne ""}
Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -r1.126.2.95 -r1.126.2.96
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 14 Jun 2023 08:40:23 -0000 1.126.2.95
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 5 Oct 2023 15:52:32 -0000 1.126.2.96
@@ -770,6 +770,52 @@
}
}
+ if {[::acs::icanuse "ns_crypto::argon2"]} {
+ ad_proc -private argon2-12288-3-1 {password salt} {
+
+ Compute a "password hash" using the Argon2 hash algorithm
+ key derivation function (RFC 9106).
+
+ Parameterization recommendation from OWASP: m=12288 (12 MiB), t=3, p=1
+
+ @return hex encoded password hash (128 bytes)
+ } {
+ return [::ns_crypto::argon2 -variant argon2id \
+ -password $password -salt $salt \
+ -memcost 12288 -iter 3 -lanes 1 -threads 1 -outlen 64]
+ }
+
+ ad_proc -private argon2-rfc9106-high-mem {password salt} {
+
+ Compute a "password hash" using the Argon2 hash algorithm
+ key derivation function (RFC 9106).
+
+ Parameterization first recommendation from RFC 9106:
+ t=1, m=2GiB, p=4 (2 GiB = 2,097,152 KB)
+
+ @return hex encoded password hash (128 bytes)
+ } {
+ return [::ns_crypto::argon2 -variant argon2id \
+ -password $password -salt $salt \
+ -memcost 2097152 -iter 1 -lanes 4 -threads 4 -outlen 64]
+ }
+
+ ad_proc -private argon2-rfc9106-low-mem {password salt} {
+
+ Compute a "password hash" using the Argon2 hash algorithm
+ key derivation function (RFC 9106).
+
+ Parameterization second recommendation from RFC 9106 (low memory):
+ t=3, m=64 MiB, p=4 (64 MiB = 65,536 KB)
+
+ @return hex encoded password hash (128 bytes)
+ } {
+ return [::ns_crypto::argon2 -variant argon2id \
+ -password $password -salt $salt \
+ -memcost 65536 -iter 3 -lanes 4 -threads 4 -outlen 64]
+ }
+
+ }
}
ad_proc -public ad_check_password {
@@ -820,8 +866,13 @@
error "No user_id supplied"
}
+ #
+ # The hash algorithms are called in standard OpenACS with a salt
+ # size of 20 bytes (in hex format), which corresponds to 160-bit.
+ #
set salt [sec_random_token]
set new_password [::security::hash::$password_hash_algorithm $new_password $salt]
+
db_dml password_update {
update users
set password = :new_password,