Closed DidierLmn closed 3 years ago
The constants below are always available as part of the PHP core.
https://www.php.net/manual/en/password.constants.php
I'm a bit puzzled that those constants are not available.
Strange indeed.
I tried to verify the existence of the constants before I had the php-sodium
package installed.
$ php -v
PHP 7.4.6 (cli) (built: May 12 2020 08:09:15) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.6, Copyright (c), by Zend Technologies
$ php -r 'echo PASSWORD_BCRYPT;'
2y%
$ php -r 'echo PASSWORD_ARGON2I;'
PHP Warning: Use of undefined constant PASSWORD_ARGON2I - assumed 'PASSWORD_ARGON2I' (this will throw an Error in a future version of PHP) in Command line code on line 1
PASSWORD_ARGON2I%
$ php -r 'echo PASSWORD_ARGON2ID;'
PHP Warning: Use of undefined constant PASSWORD_ARGON2ID - assumed 'PASSWORD_ARGON2ID' (this will throw an Error in a future version of PHP) in Command line code on line 1
PASSWORD_ARGON2ID%
After having installed the package the constants are available
$ php -r 'echo PASSWORD_ARGON2I;'
argon2i%
$ php -r 'echo PASSWORD_ARGON2ID;'
argon2id%
https://forum.remirepo.net/viewtopic.php?id=3961 https://github.com/remicollet/remirepo/issues/137
Hmm. php-sodium
should be a hard dependency now? Probably that change were to late for Fedora 32?
It seems so. I don't use a custom repo, but the default Fedora repo for PHP, from what I gather from the linked topics it doesn't have to be a hard dependency if PHP is built with the right options (which Fedora 32 apparently doesn't do), it is just better. So I'm not entirely sure how you could go about solving this actually.
I just ran into the very same issue and only stumbled on this after I saw that the new passwords have "2y" in the database, while the old ones have "argon2i".
Please add some error message to what is going on, I haven't seen any password-related error message in any log.
Thanks for reminding me about this report.
https://forum.remirepo.net/viewtopic.php?id=3961 remicollet/remirepo#137
This needs to be fixed upstream by Fedora. On PHP 7.3 the algorithm is available. After update to PHP 7.4 you need a new package. That's totally confusing.
Closing the report as this affects every PHP application using PASSWORD_ARGON2I. Please talk with the people maintaing the PHP packages for Fedora to make sure aragon2i is always present.
How to use GitHub
Steps to reproduce
Actual behaviour
No user can login. All users have argon2i hash for passwords, but after upgrade neither the
PASSWORD_ARGON2I
nor thePASSWORD_ARGON2ID
variables are available to PHP. After the installation of thephp-sodium
package, users can log in again.Expected behaviour
If passwords were previously hashed using a currently unavailable hashing algorithm, a message could be shown or log message written, notifying user/admin of the issue. Alternatively maybe a check for
php-sodium
when runningocc check
.Server configuration
Operating system: Fedora 32
Web server: nginx 1.18
Database: PostgreSQL 12
PHP version: 7.4.6
Nextcloud version: 18.0.4