• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Forwarded to devs PHP 7.2 is missing argon2i support

ssaki

ssaki

New Pleskian
TITLE:
PHP 7.2 is missing argon2i support
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
✓ demo@plesk:~$ plesk version
Product version: Plesk Onyx 17.5.3
Build date: 2017/03/17 16:00
OS version: Ubuntu 16.04
Revision: 55d1b49a272f44666e1920eca8b6e4da449a38cd
Architecture: 64-bit
Wrapper version: 1.2
PROBLEM DESCRIPTION:
PHP 7.2 has introduced support for the Argon2i hashing algorithm. It's stated in the RFC that it should be compiled with –with-password-argon2

The support is definitely not enabled in current version of php7.2 on Plesk Onyx.​
STEPS TO REPRODUCE:
Execute one of the following commands in cli:
  • /opt/plesk/php/7.2/bin/php -r 'echo PASSWORD_ARGON2I, PHP_EOL;'
  • /opt/plesk/php/7.2/bin/php -r 'var_dump(password_hash("password", PASSWORD_ARGON2I));'
ACTUAL RESULT:
Variant 1
Code: 
✓ demo@plesk:~$ /opt/plesk/php/7.2/bin/php -r 'echo PASSWORD_ARGON2I, PHP_EOL;'
PHP Warning:  Use of undefined constant PASSWORD_ARGON2I - assumed 'PASSWORD_ARGON2I' (this will throw an Error in a future version of PHP) in Command line code on line 1
PASSWORD_ARGON2I

Variant 2
Code: 
✓ demo@plesk:~$ /opt/plesk/php/7.2/bin/php -r 'echo password_hash("password", PASSWORD_ARGON2I), PHP_EOL;'
PHP Warning:  Use of undefined constant PASSWORD_ARGON2I - assumed 'PASSWORD_ARGON2I' (this will throw an Error in a future version of PHP) in Command line code on line 1
PHP Warning:  password_hash() expects parameter 2 to be integer, string given in Command line code on line 1
EXPECTED RESULT:
Variant 1
Code: 
✓ ssaki@labtop:~ $ php -r 'echo PASSWORD_ARGON2I, PHP_EOL;'
2

Variant 2
Code: 
✓ ssaki@labtop:~ $ php -r 'echo password_hash("password", PASSWORD_ARGON2I), PHP_EOL;'
$argon2i$v=19$m=1024,t=2,p=2$Lnh4Ymw4QkR1dldYcXFzaw$PRRs4MEQQ5xxSt0nlAC6xJyP7Ie8Z7GcHY8I6iw2vFw
ANY ADDITIONAL INFORMATION:
When enabled password_hash() should produce results with the new argon signature (regex spec: ^\$argon2i\$v=\d+$m=\d+,t=\d+,p=\d+:.+)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Help with sorting out
 
As this has tag "forwarded to devs": What is the current state here?
Do we have to wait for argon until php7.2 has reached EOL?
It was the winner of the Password Hashing Competition in July 2015, three years ago...
 
It was submitted as feature request PPM-2425. We will consider this feature in upcoming releases if it will be popular.
 
Libsodium changed to Argon2id naturally in 1.0.15, which is unambiguously a decent move.

Halite sticks its base to 1.0.13, which was the primary adaptation with Argon2id bolster. This change was one of the helpers in choosing 1.0.13 as the base. Be that as it may, I by one way or another fail to roll out the important improvements to deal with Argon2id in the code.

A debt of gratitude is in order for detailing this. I'll get a fix out ASAP.

Chrome Hoverboards | Hoverboards | Segways | Automatic driving lessons Wolverhampton | Corporate car hire Melbourne airport
 
portrino said:
Any news here? Is this already implemented or still an open ToDo?
Click to expand...

AFAIK there is nothing to be implemented by Plesk, it (php) needs a compile flag only (given the lib is installed on the system) :)

If you need Argon then better have a look at Docker/LXC/KVM (+ chef/puppet to do the heavy lifting), as having such an issue laying around for more than year means that nobody really cares to have it bundled.
 
zeeshan786 said:
Libsodium changed to Argon2id naturally in 1.0.15, which is unambiguously a decent move.

Halite sticks its base to 1.0.13, which was the primary adaptation with Argon2id bolster. This change was one of the helpers in choosing 1.0.13 as the base. Be that as it may, I by one way or another fail to roll out the important improvements to deal with Argon2id in the code.

A debt of gratitude is in order for detailing this. I'll get a fix out ASAP.

Chrome Hoverboards | Hoverboards | Segways | Automatic driving lessons Wolverhampton | Corporate car hire Melbourne airport
Click to expand...
Hi Zeeshan May I contact you in personal?
 
You must log in or register to reply here.

Similar threads

R
Resolved Repository for PHP 7.2 missing
Replies
5
Views
1K
RPD
R
F
Forwarded to devs PHP: Additional directives extension handling incorrect
Replies
7
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
V
Resolved Roundcube config.local.php not read
Replies
3
Views
829
Visnet
V
B
Input How to use Multiple IP's for 1 Domain [IMPORTANT FEATURE THAT'S MISSING NATIVELY]
Replies
1
Views
4K
scsa20
scsa20
M
Question How to install additional PHP modules / Extensions
Replies
2
Views
327
MHC_1
M
Back
Top