• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs PHP 7.2 is missing argon2i support

ssaki

ssaki

New Pleskian
TITLE:
PHP 7.2 is missing argon2i support
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
✓ demo@plesk:~$ plesk version
Product version: Plesk Onyx 17.5.3
Build date: 2017/03/17 16:00
OS version: Ubuntu 16.04
Revision: 55d1b49a272f44666e1920eca8b6e4da449a38cd
Architecture: 64-bit
Wrapper version: 1.2
PROBLEM DESCRIPTION:
PHP 7.2 has introduced support for the Argon2i hashing algorithm. It's stated in the RFC that it should be compiled with –with-password-argon2

The support is definitely not enabled in current version of php7.2 on Plesk Onyx.​
STEPS TO REPRODUCE:
Execute one of the following commands in cli:
  • /opt/plesk/php/7.2/bin/php -r 'echo PASSWORD_ARGON2I, PHP_EOL;'
  • /opt/plesk/php/7.2/bin/php -r 'var_dump(password_hash("password", PASSWORD_ARGON2I));'
ACTUAL RESULT:
Variant 1
Code: 
✓ demo@plesk:~$ /opt/plesk/php/7.2/bin/php -r 'echo PASSWORD_ARGON2I, PHP_EOL;'
PHP Warning:  Use of undefined constant PASSWORD_ARGON2I - assumed 'PASSWORD_ARGON2I' (this will throw an Error in a future version of PHP) in Command line code on line 1
PASSWORD_ARGON2I

Variant 2
Code: 
✓ demo@plesk:~$ /opt/plesk/php/7.2/bin/php -r 'echo password_hash("password", PASSWORD_ARGON2I), PHP_EOL;'
PHP Warning:  Use of undefined constant PASSWORD_ARGON2I - assumed 'PASSWORD_ARGON2I' (this will throw an Error in a future version of PHP) in Command line code on line 1
PHP Warning:  password_hash() expects parameter 2 to be integer, string given in Command line code on line 1
EXPECTED RESULT:
Variant 1
Code: 
✓ ssaki@labtop:~ $ php -r 'echo PASSWORD_ARGON2I, PHP_EOL;'
2

Variant 2
Code: 
✓ ssaki@labtop:~ $ php -r 'echo password_hash("password", PASSWORD_ARGON2I), PHP_EOL;'
$argon2i$v=19$m=1024,t=2,p=2$Lnh4Ymw4QkR1dldYcXFzaw$PRRs4MEQQ5xxSt0nlAC6xJyP7Ie8Z7GcHY8I6iw2vFw
ANY ADDITIONAL INFORMATION:
When enabled password_hash() should produce results with the new argon signature (regex spec: ^\$argon2i\$v=\d+$m=\d+,t=\d+,p=\d+:.+)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Help with sorting out
 
As this has tag "forwarded to devs": What is the current state here?
Do we have to wait for argon until php7.2 has reached EOL?
It was the winner of the Password Hashing Competition in July 2015, three years ago...
 
It was submitted as feature request PPM-2425. We will consider this feature in upcoming releases if it will be popular.
 
Libsodium changed to Argon2id naturally in 1.0.15, which is unambiguously a decent move.

Halite sticks its base to 1.0.13, which was the primary adaptation with Argon2id bolster. This change was one of the helpers in choosing 1.0.13 as the base. Be that as it may, I by one way or another fail to roll out the important improvements to deal with Argon2id in the code.

A debt of gratitude is in order for detailing this. I'll get a fix out ASAP.

Chrome Hoverboards | Hoverboards | Segways | Automatic driving lessons Wolverhampton | Corporate car hire Melbourne airport
 
portrino said:
Any news here? Is this already implemented or still an open ToDo?
Click to expand...

AFAIK there is nothing to be implemented by Plesk, it (php) needs a compile flag only (given the lib is installed on the system) :)

If you need Argon then better have a look at Docker/LXC/KVM (+ chef/puppet to do the heavy lifting), as having such an issue laying around for more than year means that nobody really cares to have it bundled.
 
zeeshan786 said:
Libsodium changed to Argon2id naturally in 1.0.15, which is unambiguously a decent move.

Halite sticks its base to 1.0.13, which was the primary adaptation with Argon2id bolster. This change was one of the helpers in choosing 1.0.13 as the base. Be that as it may, I by one way or another fail to roll out the important improvements to deal with Argon2id in the code.

A debt of gratitude is in order for detailing this. I'll get a fix out ASAP.

Chrome Hoverboards | Hoverboards | Segways | Automatic driving lessons Wolverhampton | Corporate car hire Melbourne airport
Click to expand...
Hi Zeeshan May I contact you in personal?
 
You must log in or register to reply here.

Similar threads

R
Resolved Repository for PHP 7.2 missing
Replies
5
Views
449
RPD
R
P
Resolved memcached PHP extension for PHP support instruction error
Replies
13
Views
2K
Peter Debik
P
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
623
NewGate
N
R
Resolved PHP FPM stuck on OS vendor version
Replies
8
Views
4K
RDrake
R
hschramm
Forwarded to devs Phar Binary broken signature (PHP 7.1 - 8.2)
Replies
2
Views
2K
azurro
A
Back
Top