-
Notifications
You must be signed in to change notification settings - Fork 725
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PHP 7.2 and libsodium #8863
Comments
Is it a compile-time configuration? Or is it supposed to be enabled by default? |
I was locally using a pre-configured PHP, so to be sure I just compiled PHP 7.2 from sources. $ ./php -v
PHP 7.2.0 (cli) (built: Dec 6 2017 15:26:29) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2017 Zend Technologies Then I tryed to use the $ ./php -r 'echo password_hash("test", PASSWORD_ARGON2I) . "\n";'
Warning: Use of undefined constant PASSWORD_ARGON2I - assumed 'PASSWORD_ARGON2I' (this will throw an Error in a future version of PHP) in Command line code on line 1
Warning: password_hash() expects parameter 2 to be integer, string given in Command line code on line 1 While not having any problem with $ ./php -r 'echo password_hash("test", PASSWORD_BCRYPT) . "\n";'
$2y$10$wsWe3BhyzenVqDs6JV/fPOB0XKh0oTuGdrgLp61MnUPzOUdw4jZey This is strange. I would have expected this algorithm to be part of the default PHP 7.2 build, just as other hash algorithms. And nothing seems to indicate the opposite in the docs. I'll investigate. Maybe I understood something wrong... but this looks like a bug to me, since they say here that |
For the record, configuration options used for compiling |
It appear it's an option, we need to compile PHP with this option: I suppose, we can't personnalize it in our Travis configuation ? |
In case of Symfony 4... I did not try yet and intend to let you know when done, but for now I guess the problem can be skirted by using a "travis" environment extending "test" and defining: # config/packages/travis/security.yaml
security:
encoders:
Symfony\Component\Security\Core\User\User:
# algorithm: 'argon2i'
algorithm: 'bcrypt' This would get my DataFixtures work (just using I agree with @mpiot about the need of being able to configure PHP build. Is there any way? |
An idea is to use the method mensionned in https://symfony.com/blog/new-in-symfony-3-4-argon2i-password-hasher, by using the libsodium-php library (when we haven't PHP 7.2), but just in Travis:
Maybe it works well :-) |
Better solution than mine, indeed. (: |
Because Symfony has been updated, the previous solution no longer works, then I choose to directly add the libsodium extension with PECL. This method is better I think, because we install and enable the PHP extension. We must download sources of the libsodium library because ubuntu 14.04 haven't the library, then compile it, and compile the PHP extension with pecl, and enable it. It works well, but it take more time than the previous solution.
Edit like said by BanzaiMan:
|
You don't need to run Since the run-time configuration seems possible, can we close this issue at this time? |
Having PHP 7.2 compiled with the core libsodium would be a better solution than having to install the PECL extension, which takes some time. But this solution gets the job done for our needs, so I guess the issue an be closed for now. (: |
How long does it take to compile? |
before_install:
- cd libsodium && sudo ./configure && sudo make check && sudo make install && cd ..
- '[[ "$TRAVIS_PHP_VERSION" == "nightly" ]] || phpenv config-rm xdebug.ini'
install:
- pecl install libsodium
- echo "extension=sodium.so" >> ~/.phpenv/versions/$(phpenv version-name)/etc/php.ini I just stopwatched, this part takes about 1'30''. |
Argon2i has to be enabled during build, |
Maybe we can do a test on the PHP version in the .travis.yml, then if it's a PHP > 7.2 add commands to add the option, because we can't add the option in default_configure_options files, there are used by every PHP version. @BanzaiMan I don't really know how it works... What is the variable tha contain the PHP version ? (in https://github.com/travis-ci/php-src-builder, Because $VERSION is always master (or do you defined PHP with $VERSION manually ?), and php always 5.6 defined in matrix) |
@mpiot |
Is it acceptable to assume that this hashing algorithm is (almost) universally available in production environments? |
You mean my wallet hashing? |
@Condebk717 Could you elaborate? I have no idea what wallet you are talking about. |
Was clear on your comment mr banzaaiMan |
Sorry I misunderstood the conversation my friend |
Banzaiman i might need some help from you if possible
Regards.
On Wednesday, January 10, 2018, 10:42 PM, Hiro Asari <notifications@github.com> wrote:
@Condebk717 Could you elaborate? I have no idea what wallet you are talking about.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Most "modern" applications still use https://symfony.com/blog/new-in-symfony-3-4-argon2i-password-hasher
I think indeed it would not be a bad move to make it universally available. This is only my opinion, though. |
@BanzaiMan I agree with Adrien-H, Argon2 is a new way to hash password in database with PHP. For the Symfony Framework, it's the new BestPractice. I've do something in a fork, if it can help: https://github.com/mpiot/php-src-builder/commit/a6d5349643fd7780dd33d0f806124c68b8e0eb59 |
This adds a lot of overhead to the CI of most of the projects I develop because libsodium has to be compiled/etc. from scratch. Can we please get a new PHP 7.2 that includes libsodium 1.0.15 and is compiled with ext/sodium support? |
pretty please with sugar on top https://travis-ci.org/chillerlan/php-oauth/jobs/334467006 |
When can we get this fixed? |
For those who having trouble compiling |
This was sufficient for me to get sodium working on PHP 7.0 and 7.2: before_install:
- sudo add-apt-repository ppa:ondrej/php -y
- sudo apt-get -qq update
- sudo apt-get install -y libsodium-dev
install:
- printf "\n" | pecl install libsodium |
This is what i (and probably others, too) did before, but it shouldn't be necessary for PHP 7.2 as libsodium is part of it and should be enabled by default. |
At this point it feels like someone is deliberately breaking the package chain and taunting all of us. Isn't there anyone who can poke the right people to fix this? It's astounding that we're already 4 releases into php 7.2 and the linux builds for the major distros are still broken. Meanwhile, the official windows php builds work perfectly fine (and libsodium for php < 7.2/win supports even the old and new sodium syntax...). |
@mpiot I've opened a PR starting from your fork, thanks! |
@Jean85 You're welcome, thank you too :-) If they accept it, it would be a good thing :-) |
This is annoying please update your images. |
+1 📦 |
Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically closing the issue in 24 hours. This is often because the request was already solved in some way and it just wasn't updated or it's no longer applicable. If that's not the case, please do feel free to either reopen this issue or open a new one. We'll gladly take a look again! You can read more here: https://blog.travis-ci.com/2018-03-09-closing-old-issues |
Bad bot |
travis-ci/php-src-builder#20 got merged! 🎉 |
This issue should be resolved by travis-ci/php-src-builder#22 (fixed travis-ci/php-src-builder#20). |
Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically closing the issue in 7 days. This is often because the request was already solved in some way and it just wasn't updated or it's no longer applicable. If that's not the case, please respond before the issue is closed, or open a new one after. We'll gladly take a look again! You can read more here: https://blog.travis-ci.com/2018-03-09-closing-old-issues |
Calling it now: @Stale is probably the least helpful contributor in this thread, present and future. |
Does travis-ci/php-src-builder#22 completely solve this? Are we missing something else? |
https://travis-ci.org/paragonie/halite/builds/479489381 -- if this has no build errors, then this is completely solved. |
Green!! 👍 |
Closing |
Apparently you need to add |
@tuupola Can you try a newer version? |
@BanzaiMan If you mean newer version of PHP then yes |
I meant the more recent teeny releases of 7.2; e.g., 7.2.21. My guess is that the pre-installed 7.2 on the current Xenial image is too old to have this, and forcing the run-time installation of the newer version might solve this problem for you. |
Yeah that is possible. In any case adding the |
I am currently deploying a Symfony 4 application, which uses the
Argon2i
algorithm for password hashing. PHP 7.2 natively implements the libsodium library. Of course, PHP 7.2 is mandatory in this build and everything is fine on my locale machine with 7.2.0. Application running, tests OK, etc.But the build fails while deploying.
I have this in my Travis file:
Here is the part of the build logs where PHP is being successfuly installed:
But after the composer install, the build fails with this message:
The message from Symfony is pretty clear, I already saw it while testing with PHP 7.1. But it should work with 7.2, I cannot come to understand what is happening.
Any idea?
The text was updated successfully, but these errors were encountered: