Problem/Motivation

The PHP password_hash() function supports hashing passwords with the Argon2 hashing algorithm currently recommended by OWASP if php is compiled against one of the following libraries:

Only one of the libraries is required, but it doesn't hurt to add both. E.g., Debian does that.

Steps to reproduce

Both libraries in PHP since 7.2 realese

  1. https://wiki.php.net/rfc/libsodium
  2. https://wiki.php.net/rfc/argon2_password_hash

Proposed resolution

Add following build options 

            --with-password-argon2 \
            --with-sodium \

and add libargon2 and libsodium23 dependencies

Remaining tasks

split into commits and cherry-pick to production

User interface changes

API changes

Data model changes

Issue fork drupalci_environments-3530235

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

znerol created an issue. See original summary.

znerol opened merge request !55

znerol’s picture

znerol commented
Status: Active » Needs review

Added both libraries in the PR (sodium and argon2). It's the way debian php is built.

It would be possible to minimize dependencies by not adding sodium at all and stick with argon2 library. From PHP 8.4, even that one is not necessary anymore. From that version onwards it is possible to use OpenSSL Argon2 implementation. Question here: Is it preferable to remain close to what distros are shipping or is it preferable to minimize dependencies.

Test command and example result for images with argon2 support:

% podman run -it --rm docker.io/drupalci/php-8.5-ubuntu-apache:dev php -r 'echo(password_hash("correct horse battery staple", PASSWORD_ARGON2ID));'
$argon2id$v=19$m=65536,t=4,p=1$MzFSb1Q0MVg1NDBJOHQ4Nw$SYS269U5LJL2TEBG9t/glMS83kYMKB9mU9AJ4pnyO24
andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Needs review » Reviewed & tested by the community

Looks totally ok to me, I will commit it later tonight

btw I found OpenSSL argon is incomplete implementation so better to link it directly to the library.
so when there's no Argon2 headers some functionality is missing

andypost’s picture

andypost
he/him
Primary language Russian
commented
Issue summary: View changes

andypost’s picture

andypost
he/him
Primary language Russian
commented
Title: Add libargon2 and/or libsodium » Add libargon2 and libsodium

I gonna slit it on commits as franken in dev repo only and looks can't build

  • andypost committed 3bef3421 on dev authored by znerol 
    Issue #3530235 by znerol: Add libargon2 and libsodium to PHP 8.3-ubuntu
andypost’s picture

andypost
he/him
Primary language Russian
commented
Title: Add libargon2 and libsodium » Add libargon2 and libsodium to PHP image
Issue summary: View changes 
checking for Argon2 support... yes
checking for libargon2... yes

and

checking for sodium support... yes
checking for libsodium >= 1.0.8... yes

  • andypost committed 99411712 on production 
    Issue #3530235 by znerol: Add libargon2 and libsodium to PHP 8.3-ubuntu...

  • andypost committed 417dd972 on dev authored by znerol 
    Issue #3530235 by znerol, andypost: Add libargon2 and libsodium to PHP 8...

  • andypost committed 0dc068b6 on production 
    Issue #3530235 by znerol, andypost: Add libargon2 and libsodium to PHP 8...

  • andypost committed 4ff60c31 on dev authored by znerol 
    Issue #3530235 by znerol, andypost: Add libargon2 and libsodium to PHP 8...

  • andypost committed aa6ad99d on production 
    Issue #3530235 by znerol, andypost: Add libargon2 and libsodium to PHP 8...
andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Reviewed & tested by the community » Fixed

andypost closed merge request !55

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.