• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Forwarded to devs PHP 7.2 is missing argon2i support

ssaki

ssaki

New Pleskian
TITLE:
PHP 7.2 is missing argon2i support
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
✓ demo@plesk:~$ plesk version
Product version: Plesk Onyx 17.5.3
Build date: 2017/03/17 16:00
OS version: Ubuntu 16.04
Revision: 55d1b49a272f44666e1920eca8b6e4da449a38cd
Architecture: 64-bit
Wrapper version: 1.2
PROBLEM DESCRIPTION:
PHP 7.2 has introduced support for the Argon2i hashing algorithm. It's stated in the RFC that it should be compiled with –with-password-argon2

The support is definitely not enabled in current version of php7.2 on Plesk Onyx.​
STEPS TO REPRODUCE:
Execute one of the following commands in cli:
  • /opt/plesk/php/7.2/bin/php -r 'echo PASSWORD_ARGON2I, PHP_EOL;'
  • /opt/plesk/php/7.2/bin/php -r 'var_dump(password_hash("password", PASSWORD_ARGON2I));'
ACTUAL RESULT:
Variant 1
Code: 
✓ demo@plesk:~$ /opt/plesk/php/7.2/bin/php -r 'echo PASSWORD_ARGON2I, PHP_EOL;'
PHP Warning:  Use of undefined constant PASSWORD_ARGON2I - assumed 'PASSWORD_ARGON2I' (this will throw an Error in a future version of PHP) in Command line code on line 1
PASSWORD_ARGON2I

Variant 2
Code: 
✓ demo@plesk:~$ /opt/plesk/php/7.2/bin/php -r 'echo password_hash("password", PASSWORD_ARGON2I), PHP_EOL;'
PHP Warning:  Use of undefined constant PASSWORD_ARGON2I - assumed 'PASSWORD_ARGON2I' (this will throw an Error in a future version of PHP) in Command line code on line 1
PHP Warning:  password_hash() expects parameter 2 to be integer, string given in Command line code on line 1
EXPECTED RESULT:
Variant 1
Code: 
✓ ssaki@labtop:~ $ php -r 'echo PASSWORD_ARGON2I, PHP_EOL;'
2

Variant 2
Code: 
✓ ssaki@labtop:~ $ php -r 'echo password_hash("password", PASSWORD_ARGON2I), PHP_EOL;'
$argon2i$v=19$m=1024,t=2,p=2$Lnh4Ymw4QkR1dldYcXFzaw$PRRs4MEQQ5xxSt0nlAC6xJyP7Ie8Z7GcHY8I6iw2vFw
ANY ADDITIONAL INFORMATION:
When enabled password_hash() should produce results with the new argon signature (regex spec: ^\$argon2i\$v=\d+$m=\d+,t=\d+,p=\d+:.+)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Help with sorting out
 
As this has tag "forwarded to devs": What is the current state here?
Do we have to wait for argon until php7.2 has reached EOL?
It was the winner of the Password Hashing Competition in July 2015, three years ago...
 
It was submitted as feature request PPM-2425. We will consider this feature in upcoming releases if it will be popular.
 
Libsodium changed to Argon2id naturally in 1.0.15, which is unambiguously a decent move.

Halite sticks its base to 1.0.13, which was the primary adaptation with Argon2id bolster. This change was one of the helpers in choosing 1.0.13 as the base. Be that as it may, I by one way or another fail to roll out the important improvements to deal with Argon2id in the code.

A debt of gratitude is in order for detailing this. I'll get a fix out ASAP.

Chrome Hoverboards | Hoverboards | Segways | Automatic driving lessons Wolverhampton | Corporate car hire Melbourne airport
 
portrino said:
Any news here? Is this already implemented or still an open ToDo?
Click to expand...

AFAIK there is nothing to be implemented by Plesk, it (php) needs a compile flag only (given the lib is installed on the system) :)

If you need Argon then better have a look at Docker/LXC/KVM (+ chef/puppet to do the heavy lifting), as having such an issue laying around for more than year means that nobody really cares to have it bundled.
 
zeeshan786 said:
Libsodium changed to Argon2id naturally in 1.0.15, which is unambiguously a decent move.

Halite sticks its base to 1.0.13, which was the primary adaptation with Argon2id bolster. This change was one of the helpers in choosing 1.0.13 as the base. Be that as it may, I by one way or another fail to roll out the important improvements to deal with Argon2id in the code.

A debt of gratitude is in order for detailing this. I'll get a fix out ASAP.

Chrome Hoverboards | Hoverboards | Segways | Automatic driving lessons Wolverhampton | Corporate car hire Melbourne airport
Click to expand...
Hi Zeeshan May I contact you in personal?
 
You must log in or register to reply here.

Similar threads

R
Resolved Repository for PHP 7.2 missing
Replies
5
Views
997
RPD
R
F
Forwarded to devs PHP: Additional directives extension handling incorrect
Replies
7
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
V
Resolved Roundcube config.local.php not read
Replies
3
Views
698
Visnet
V
B
Input How to use Multiple IP's for 1 Domain [IMPORTANT FEATURE THAT'S MISSING NATIVELY]
Replies
1
Views
4K
scsa20
scsa20
Zéfyx
Issue Git - additional deploy actions : Limited access to binaries [Git extension bug: EXTGIT-22]
Replies
2
Views
2K
Zéfyx
Zéfyx
Back
Top