php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81491 Incorrectly using libsodium for argon2 hashing
Submitted: 2021-09-30 17:32 UTC Modified: 2021-09-30 18:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: dpock at liquidweb dot com Assigned:
Status: Closed Package: *Compile Issues
PHP Version: 8.1Git-2021-09-30 (Git) OS:
Private report: No CVE-ID: None
 [2021-09-30 17:32 UTC] dpock at liquidweb dot com
Description:
------------
It appears that PHP-8.1 branch is no longer compiling libargon2 support correctly. The effect of this vary depending on if libsodium is present too.

When libsodium is present, the issue is observed are:
* Cannot use threads option when hashing with argon2,
* PASSWORD_ARGON2_PROVIDER reports as 'sodium'

When libsodium is not present, the issue observed is:
* Error stating argon2 is not supported

---

Note: Left OS blank as this affects my Mac, as well as linux based GitHub runners.

---

I have 'confirmed' this bug by compiling PHP 8.0 and PHP 8.1 using the same settings. When using PHP 8.0 w/o sodium I can still use argon2, and similarly the threads option works when hashing.

I've also made a "PR" that confirms PHP 8.1 works when I revert a commit to load argon2 via `pkg-config` rather than config flags. This PR is here: https://github.com/php/php-src/pull/7538

Test script:
---------------
This bug was initially found by Dries Vints via failing CI tests here: https://github.com/laravel/framework/runs/3599702797#step:8:126

He was observing the issue with "threads" value greater than 1 causing an error. This is behavior you'd only expect if PHP were compiled with ONLY libsodium. However the GitHub runner's in use should be compiling with BOTH libsodium and libargon2. We can be confident they are compiling in this manner as PHP 8.0 runners (from the same source) are working correctly.

Expected result:
----------------
PHP should know it has access to both `libsodium` and `libargon2` when compiled in this manner.

As such, when PHP compiles with both libs, we should see:
* PASSWORD_ARGON2_PROVIDER should be 'standard', and
* password_hash should accept `threads` > 1 when using argon2.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-09-30 18:00 UTC] dpock at liquidweb dot com
After further investigation I found the root cause to be that `HAVE_ARGON2LIB` was not being defined when the argon2 config flag is set.

I've updated the patch in the PR to reflect this here: https://github.com/php/php-src/pull/7538
 [2021-10-01 08:09 UTC] git@php.net
Automatic comment on behalf of mallardduck (author) and nikic (committer)
Revision: https://github.com/php/php-src/commit/6d3ef57392013f86d84a9c7b151ab627898493e0
Log: Fix bug #81491: Ensure HAVE_ARGON2LIB is set when compiling using libargon2
 [2021-10-01 08:09 UTC] git@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Dec 09 09:03:33 2021 UTC