From 2577f1147b323633d64501f1a085ce8c580ab863 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 14 Nov 2017 16:36:57 -0800 Subject: [PATCH] Add Argon2 password hashing See https://wiki.php.net/rfc/argon2_password_hash See also https://gitlab.com/deb.sury.org/php/commit/a91992745b62690ef5257cd6597ad0a8d7afe9ff --- 7.2-rc/stretch/apache/Dockerfile | 4 ++++ 7.2-rc/stretch/cli/Dockerfile | 4 ++++ 7.2-rc/stretch/fpm/Dockerfile | 4 ++++ 7.2-rc/stretch/zts/Dockerfile | 4 ++++ Dockerfile-debian.template | 4 ++++ update.sh | 11 +++++++++++ 6 files changed, 31 insertions(+) diff --git a/7.2-rc/stretch/apache/Dockerfile b/7.2-rc/stretch/apache/Dockerfile index 54ed85b2f9..d3ef5ba7cd 100644 --- a/7.2-rc/stretch/apache/Dockerfile +++ b/7.2-rc/stretch/apache/Dockerfile @@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \ $PHPIZE_DEPS \ ca-certificates \ curl \ + libargon2-0 \ libedit2 \ libsqlite3-0 \ libxml2 \ @@ -153,6 +154,7 @@ COPY docker-php-source /usr/local/bin/ RUN set -xe \ && buildDeps=" \ $PHP_EXTRA_BUILD_DEPS \ + libargon2-0-dev \ libcurl4-openssl-dev \ libedit-dev \ libsqlite3-dev \ @@ -186,6 +188,8 @@ RUN set -xe \ --enable-mbstring \ # --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself) --enable-mysqlnd \ +# https://wiki.php.net/rfc/argon2_password_hash (7.2+) + --with-password-argon2 \ \ --with-curl \ --with-libedit \ diff --git a/7.2-rc/stretch/cli/Dockerfile b/7.2-rc/stretch/cli/Dockerfile index 45c17bd7af..e1003dd280 100644 --- a/7.2-rc/stretch/cli/Dockerfile +++ b/7.2-rc/stretch/cli/Dockerfile @@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \ $PHPIZE_DEPS \ ca-certificates \ curl \ + libargon2-0 \ libedit2 \ libsqlite3-0 \ libxml2 \ @@ -94,6 +95,7 @@ COPY docker-php-source /usr/local/bin/ RUN set -xe \ && buildDeps=" \ $PHP_EXTRA_BUILD_DEPS \ + libargon2-0-dev \ libcurl4-openssl-dev \ libedit-dev \ libsqlite3-dev \ @@ -127,6 +129,8 @@ RUN set -xe \ --enable-mbstring \ # --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself) --enable-mysqlnd \ +# https://wiki.php.net/rfc/argon2_password_hash (7.2+) + --with-password-argon2 \ \ --with-curl \ --with-libedit \ diff --git a/7.2-rc/stretch/fpm/Dockerfile b/7.2-rc/stretch/fpm/Dockerfile index 321c867e1b..14f172a5f1 100644 --- a/7.2-rc/stretch/fpm/Dockerfile +++ b/7.2-rc/stretch/fpm/Dockerfile @@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \ $PHPIZE_DEPS \ ca-certificates \ curl \ + libargon2-0 \ libedit2 \ libsqlite3-0 \ libxml2 \ @@ -95,6 +96,7 @@ COPY docker-php-source /usr/local/bin/ RUN set -xe \ && buildDeps=" \ $PHP_EXTRA_BUILD_DEPS \ + libargon2-0-dev \ libcurl4-openssl-dev \ libedit-dev \ libsqlite3-dev \ @@ -128,6 +130,8 @@ RUN set -xe \ --enable-mbstring \ # --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself) --enable-mysqlnd \ +# https://wiki.php.net/rfc/argon2_password_hash (7.2+) + --with-password-argon2 \ \ --with-curl \ --with-libedit \ diff --git a/7.2-rc/stretch/zts/Dockerfile b/7.2-rc/stretch/zts/Dockerfile index 3c8c528a10..9ca7386daa 100644 --- a/7.2-rc/stretch/zts/Dockerfile +++ b/7.2-rc/stretch/zts/Dockerfile @@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \ $PHPIZE_DEPS \ ca-certificates \ curl \ + libargon2-0 \ libedit2 \ libsqlite3-0 \ libxml2 \ @@ -95,6 +96,7 @@ COPY docker-php-source /usr/local/bin/ RUN set -xe \ && buildDeps=" \ $PHP_EXTRA_BUILD_DEPS \ + libargon2-0-dev \ libcurl4-openssl-dev \ libedit-dev \ libsqlite3-dev \ @@ -128,6 +130,8 @@ RUN set -xe \ --enable-mbstring \ # --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself) --enable-mysqlnd \ +# https://wiki.php.net/rfc/argon2_password_hash (7.2+) + --with-password-argon2 \ \ --with-curl \ --with-libedit \ diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index 1473bc6250..94fbba0da5 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -16,6 +16,7 @@ RUN apt-get update && apt-get install -y \ $PHPIZE_DEPS \ ca-certificates \ curl \ + libargon2-0 \ libedit2 \ libsqlite3-0 \ libxml2 \ @@ -88,6 +89,7 @@ COPY docker-php-source /usr/local/bin/ RUN set -xe \ && buildDeps=" \ $PHP_EXTRA_BUILD_DEPS \ + libargon2-0-dev \ libcurl4-openssl-dev \ libedit-dev \ libsqlite3-dev \ @@ -121,6 +123,8 @@ RUN set -xe \ --enable-mbstring \ # --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself) --enable-mysqlnd \ +# https://wiki.php.net/rfc/argon2_password_hash (7.2+) + --with-password-argon2 \ \ --with-curl \ --with-libedit \ diff --git a/update.sh b/update.sh index cc5233f118..f0157cf05f 100755 --- a/update.sh +++ b/update.sh @@ -52,6 +52,12 @@ travisEnv= for version in "${versions[@]}"; do rcVersion="${version%-rc}" + # "7", "5", etc + majorVersion="${rcVersion%%.*}" + # "2", "1", "6", etc + minorVersion="${rcVersion#$majorVersion.}" + minorVersion="${minorVersion%%.*}" + # scrape the relevant API based on whether we're looking for pre-releases apiUrl="https://secure.php.net/releases/index.php?json&max=100&version=${rcVersion%%.*}" apiJqExpr=' @@ -150,6 +156,11 @@ for version in "${versions[@]}"; do if [ "$alpineVer" = '3.4' ]; then sed -ri 's!libressl!openssl!g' "$version/$suite/$variant/Dockerfile" fi + if [ "$majorVersion" = '5' ] || [ "$majorVersion" = '7' -a "$minorVersion" -lt '2' ] || [ "$suite" = 'jessie' ]; then + # argon2 password hashing is only supported in 7.2+ and stretch+ + sed -ri '/argon2/d' "$version/$suite/$variant/Dockerfile" + # Alpine 3.7+ _should_ include an "argon2-dev" package, but we should cross that bridge when we come to it + fi # automatic `-slim` for stretch # TODO always add slim once jessie is removed