From 1a68b62da1f9e5c1269e307936207af104bf1a94 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 12 Jul 2019 15:53:30 +0200 Subject: - drop recode extension, moved to php-pecl-recode - add upstream patch for argon2 password --- php-7.4.0-recode.patch | 17 ---- php-upstream.patch | 266 +++++++++++++++++++++++++++++++++++++++++++++++++ php.spec | 37 ++----- 3 files changed, 275 insertions(+), 45 deletions(-) delete mode 100644 php-7.4.0-recode.patch create mode 100644 php-upstream.patch diff --git a/php-7.4.0-recode.patch b/php-7.4.0-recode.patch deleted file mode 100644 index d60c703..0000000 --- a/php-7.4.0-recode.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -up ./ext/recode/config9.m4.recode ./ext/recode/config9.m4 ---- ./ext/recode/config9.m4.recode 2019-05-21 12:19:27.614484934 +0200 -+++ ./ext/recode/config9.m4 2019-05-21 12:20:41.534895969 +0200 -@@ -1,13 +1,5 @@ - dnl Check for extensions with which Recode can not work - if test "$PHP_RECODE" != "no"; then -- test "$PHP_IMAP" != "no" && recode_conflict="$recode_conflict imap" -- -- if test -n "$MYSQL_LIBNAME"; then -- PHP_CHECK_LIBRARY($MYSQL_LIBNAME, hash_insert, [ -- recode_conflict="$recode_conflict mysql" -- ]) -- fi -- - if test -n "$recode_conflict"; then - AC_MSG_ERROR([recode extension can not be configured together with:$recode_conflict]) - fi diff --git a/php-upstream.patch b/php-upstream.patch new file mode 100644 index 0000000..1984dd9 --- /dev/null +++ b/php-upstream.patch @@ -0,0 +1,266 @@ +From f65956e4fb4dc15ba8129e69b13a2cd758e85f46 Mon Sep 17 00:00:00 2001 +From: Sara Golemon +Date: Tue, 9 Jul 2019 11:18:13 -0400 +Subject: [PATCH] Relax argon2 mem_cost down to 64k, bump time_cost to 4 + +--- + ext/sodium/sodium_pwhash.c | 5 ++--- + .../tests/php_password_hash_argon2i.phpt | 18 +++++++++--------- + .../tests/php_password_hash_argon2id.phpt | 19 ++++++++++--------- + ext/standard/php_password.h | 7 ++----- + .../password_needs_rehash_argon2.phpt | 14 +++++--------- + 5 files changed, 28 insertions(+), 35 deletions(-) + +diff --git a/ext/sodium/sodium_pwhash.c b/ext/sodium/sodium_pwhash.c +index d615a24ab6e2..7b7f574e173a 100644 +--- a/ext/sodium/sodium_pwhash.c ++++ b/ext/sodium/sodium_pwhash.c +@@ -29,7 +29,6 @@ + #if SODIUM_LIBRARY_VERSION_MAJOR > 9 || (SODIUM_LIBRARY_VERSION_MAJOR == 9 && SODIUM_LIBRARY_VERSION_MINOR >= 6) + + /** +- * OPSLIMIT and MEMLIMIT are taken from libsodium's MODERATE values. + * MEMLIMIT is normalized to KB even though sodium uses Bytes in order to + * present a consistent user-facing API. + * +@@ -37,8 +36,8 @@ + * + * When updating these values, synchronize ext/standard/php_password.h values. + */ +-#define PHP_SODIUM_PWHASH_MEMLIMIT (256 << 10) +-#define PHP_SODIUM_PWHASH_OPSLIMIT 3 ++#define PHP_SODIUM_PWHASH_MEMLIMIT (64 << 10) ++#define PHP_SODIUM_PWHASH_OPSLIMIT 4 + #define PHP_SODIUM_PWHASH_THREADS 1 + + static zend_string *php_sodium_argon2_hash(const zend_string *password, zend_array *options, int alg) { +diff --git a/ext/sodium/tests/php_password_hash_argon2i.phpt b/ext/sodium/tests/php_password_hash_argon2i.phpt +index 9ce6c7399eee..4522e6d1753a 100644 +--- a/ext/sodium/tests/php_password_hash_argon2i.phpt ++++ b/ext/sodium/tests/php_password_hash_argon2i.phpt +@@ -36,38 +36,38 @@ foreach([1, 2, 4] as $mem) { + --EXPECTF-- + Argon2 provider: string(%d) "%s" + Using password: string(44) "%s" +-Hash: string(97) "$argon2i$v=19$m=262144,t=3,p=1$%s$%s" ++Hash: string(96) "$argon2i$v=19$m=65536,t=4,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(97) "$argon2i$v=19$m=262144,t=6,p=1$%s$%s" ++Hash: string(96) "$argon2i$v=19$m=65536,t=8,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(98) "$argon2i$v=19$m=262144,t=12,p=1$%s$%s" ++Hash: string(97) "$argon2i$v=19$m=65536,t=16,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(97) "$argon2i$v=19$m=524288,t=3,p=1$%s$%s" ++Hash: string(97) "$argon2i$v=19$m=131072,t=4,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(97) "$argon2i$v=19$m=524288,t=6,p=1$%s$%s" ++Hash: string(97) "$argon2i$v=19$m=131072,t=8,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(98) "$argon2i$v=19$m=524288,t=12,p=1$%s$%s" ++Hash: string(98) "$argon2i$v=19$m=131072,t=16,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(98) "$argon2i$v=19$m=1048576,t=3,p=1$%s$%s" ++Hash: string(97) "$argon2i$v=19$m=262144,t=4,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(98) "$argon2i$v=19$m=1048576,t=6,p=1$%s$%s" ++Hash: string(97) "$argon2i$v=19$m=262144,t=8,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(99) "$argon2i$v=19$m=1048576,t=12,p=1$%s$%s" ++Hash: string(98) "$argon2i$v=19$m=262144,t=16,p=1$%s$%s" + bool(true) + bool(false) +diff --git a/ext/sodium/tests/php_password_hash_argon2id.phpt b/ext/sodium/tests/php_password_hash_argon2id.phpt +index e6d4c1ee80a9..db5145718b8f 100644 +--- a/ext/sodium/tests/php_password_hash_argon2id.phpt ++++ b/ext/sodium/tests/php_password_hash_argon2id.phpt +@@ -36,38 +36,39 @@ foreach([1, 2, 4] as $mem) { + --EXPECTF-- + Argon2 provider: string(%d) "%s" + Using password: string(44) "%s" +-Hash: string(98) "$argon2id$v=19$m=262144,t=3,p=1$%s$%s" ++Hash: string(97) "$argon2id$v=19$m=65536,t=4,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(98) "$argon2id$v=19$m=262144,t=6,p=1$%s$%s" ++Hash: string(97) "$argon2id$v=19$m=65536,t=8,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(99) "$argon2id$v=19$m=262144,t=12,p=1$%s$%s" ++Hash: string(98) "$argon2id$v=19$m=65536,t=16,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(98) "$argon2id$v=19$m=524288,t=3,p=1$%s$%s" ++Hash: string(98) "$argon2id$v=19$m=131072,t=4,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(98) "$argon2id$v=19$m=524288,t=6,p=1$%s$%s" ++Hash: string(98) "$argon2id$v=19$m=131072,t=8,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(99) "$argon2id$v=19$m=524288,t=12,p=1$%s$%s" ++Hash: string(99) "$argon2id$v=19$m=131072,t=16,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(99) "$argon2id$v=19$m=1048576,t=3,p=1$%s$%s" ++Hash: string(98) "$argon2id$v=19$m=262144,t=4,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(99) "$argon2id$v=19$m=1048576,t=6,p=1$%s$%s" ++Hash: string(98) "$argon2id$v=19$m=262144,t=8,p=1$%s$%s" + bool(true) + bool(false) + Using password: string(44) "%s" +-Hash: string(100) "$argon2id$v=19$m=1048576,t=12,p=1$%s$%s" ++Hash: string(99) "$argon2id$v=19$m=262144,t=16,p=1$%s$%s" + bool(true) + bool(false) ++ +diff --git a/ext/standard/php_password.h b/ext/standard/php_password.h +index ce3fdba6bbc4..97a6bf63a21e 100644 +--- a/ext/standard/php_password.h ++++ b/ext/standard/php_password.h +@@ -34,14 +34,11 @@ PHP_MSHUTDOWN_FUNCTION(password); + + #if HAVE_ARGON2LIB + /** +- * OPSLIMIT and MEMLIMIT are taken from libsodium's MODERATE values. +- * Threads are fixed at 1 by libsodium. +- * + * When updating these values, synchronize ext/sodium/sodium_pwhash.c values. + * Note that libargon expresses memlimit in KB, while libsoidum uses bytes. + */ +-#define PHP_PASSWORD_ARGON2_MEMORY_COST (256 << 10) +-#define PHP_PASSWORD_ARGON2_TIME_COST 3 ++#define PHP_PASSWORD_ARGON2_MEMORY_COST (64 << 10) ++#define PHP_PASSWORD_ARGON2_TIME_COST 4 + #define PHP_PASSWORD_ARGON2_THREADS 1 + #endif + +diff --git a/ext/standard/tests/password/password_needs_rehash_argon2.phpt b/ext/standard/tests/password/password_needs_rehash_argon2.phpt +index 9552be1dc924..69588d02ad4a 100644 +--- a/ext/standard/tests/password/password_needs_rehash_argon2.phpt ++++ b/ext/standard/tests/password/password_needs_rehash_argon2.phpt +@@ -10,24 +10,20 @@ if (!defined('PASSWORD_ARGON2ID')) die('skip password_hash not built with Argon2 + + $hash = password_hash('test', PASSWORD_ARGON2I); + var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I)); +-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => 1<<17])); +-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => 4])); +-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['threads' => 4])); ++var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2])); ++var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1])); + + $hash = password_hash('test', PASSWORD_ARGON2ID); + var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID)); +-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => 1<<17])); +-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => 4])); +-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['threads' => 4])); ++var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2])); ++var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1])); ++ + echo "OK!"; +-?> + --EXPECT-- + bool(false) + bool(true) + bool(true) +-bool(true) + bool(false) + bool(true) + bool(true) +-bool(true) + OK! +From db0eaa8cf1cbeeec5968a5f91a416541d354ccfe Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 10 Jul 2019 09:00:41 +0200 +Subject: [PATCH] improve libargon2/libsodium compatibility + +--- + ext/standard/password.c | 15 +++++++++++++++ + ext/standard/tests/password/bug75221.phpt | 2 +- + .../password/password_hash_error_argon2.phpt | 4 ++-- + 3 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/ext/standard/password.c b/ext/standard/password.c +index aacb30e61cb7..a12590c0e083 100644 +--- a/ext/standard/password.c ++++ b/ext/standard/password.c +@@ -571,6 +571,21 @@ static const php_password_algo* php_password_algo_find_zval_ex(zval *arg, const + #if HAVE_ARGON2LIB + case 2: return &php_password_algo_argon2i; + case 3: return &php_password_algo_argon2id; ++#else ++ case 2: ++ { ++ zend_string *n = zend_string_init("argon2i", sizeof("argon2i")-1, 0); ++ const php_password_algo* ret = php_password_algo_find(n); ++ zend_string_release(n); ++ return ret; ++ } ++ case 3: ++ { ++ zend_string *n = zend_string_init("argon2id", sizeof("argon2id")-1, 0); ++ const php_password_algo* ret = php_password_algo_find(n); ++ zend_string_release(n); ++ return ret; ++ } + #endif + } + return NULL; +diff --git a/ext/standard/tests/password/bug75221.phpt b/ext/standard/tests/password/bug75221.phpt +index ec03f92ea6cd..bd6e386a164e 100644 +--- a/ext/standard/tests/password/bug75221.phpt ++++ b/ext/standard/tests/password/bug75221.phpt +@@ -9,7 +9,7 @@ if (!defined('PASSWORD_ARGON2I')) die('skip password_hash not built with Argon2' + $hash = password_hash( + "php", + PASSWORD_ARGON2I, +- ['memory_cost' => 16384, 'time_cost' => 2, 'threads' => 4] ++ ['memory_cost' => 64 << 10, 'time_cost' => 4, 'threads' => 1] + ); + var_dump(substr($hash, -1, 1) !== "\0"); + ?> +diff --git a/ext/standard/tests/password/password_hash_error_argon2.phpt b/ext/standard/tests/password/password_hash_error_argon2.phpt +index 070d61656ab1..2ea6b93627c0 100644 +--- a/ext/standard/tests/password/password_hash_error_argon2.phpt ++++ b/ext/standard/tests/password/password_hash_error_argon2.phpt +@@ -21,7 +21,7 @@ NULL + Warning: password_hash(): Time cost is outside of allowed time range in %s on line %d + NULL + +-Warning: password_hash(): Invalid number of threads in %s on line %d ++Warning: password_hash(): %sthread%s + NULL + + Warning: password_hash(): Memory cost is outside of allowed memory range in %s on line %d +@@ -30,5 +30,5 @@ NULL + Warning: password_hash(): Time cost is outside of allowed time range in %s on line %d + NULL + +-Warning: password_hash(): Invalid number of threads in %s on line %d ++Warning: password_hash(): %sthread%s + NULL diff --git a/php.spec b/php.spec index 1cc834c..4de1b9c 100644 --- a/php.spec +++ b/php.spec @@ -75,7 +75,6 @@ %global with_tidy 1 %global with_sqlite3 1 %global with_enchant 1 -%global with_recode 1 %if 0%{?fedora} >= 27 || 0%{?rhel} >= 8 %global with_libpcre 1 %else @@ -109,7 +108,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?lower:~%{lower}}%{?gh_date:.%{gh_date}} -Release: 12%{?dist} +Release: 13%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -146,7 +145,6 @@ Source53: 20-ffi.ini Patch1: php-7.4.0-httpd.patch Patch5: php-7.2.0-includedir.patch Patch6: php-7.4.0-embed.patch -Patch7: php-7.4.0-recode.patch Patch8: php-7.2.0-libdb.patch Patch9: php-7.0.7-curl.patch @@ -165,6 +163,7 @@ Patch47: php-5.6.3-phpinfo.patch Patch91: php-7.2.0-oci8conf.patch # Upstream fixes (100+) +Patch100: php-upstream.patch # Security fixes (200+) @@ -801,20 +800,6 @@ BuildRequires: aspell-devel >= 0.50.0 The %{?scl_prefix}php-pspell package contains a dynamic shared object that will add support for using the pspell library to PHP. -%if %{with_recode} -%package recode -Summary: A module for PHP applications for using the recode library -Group: System Environment/Libraries -# All files licensed under PHP version 3.01 -License: PHP -Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} -BuildRequires: recode-devel - -%description recode -The %{?scl_prefix}php-recode package contains a dynamic shared object that will add -support for using the recode library to PHP. -%endif - %package intl Summary: Internationalization extension for PHP applications Group: System Environment/Libraries @@ -825,7 +810,6 @@ BuildRequires: pkgconfig(icu-i18n) >= 50.1 BuildRequires: pkgconfig(icu-io) >= 50.1 BuildRequires: pkgconfig(icu-uc) >= 50.1 - %description intl The %{?scl_prefix}php-intl package contains a dynamic shared object that will add support for using the ICU library to PHP. @@ -915,10 +899,11 @@ in pure PHP. %setup -q -n php-%{upver}%{?rcver} %endif +rm -r ext/recode + %patch1 -p1 -b .mpmcheck %patch5 -p1 -b .includedir %patch6 -p1 -b .embed -%patch7 -p1 -b .recode %patch8 -p1 -b .libdb %if 0%{?rhel} %patch9 -p1 -b .curltls @@ -938,6 +923,7 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch91 -p1 -b .remi-oci8 # upstream patches +%patch100 -p1 -b .up # security patches @@ -1243,9 +1229,6 @@ build --libdir=%{_libdir}/php \ --enable-intl=shared \ %if %{with_enchant} --with-enchant=shared \ -%endif -%if %{with_recode} - --with-recode=shared,%{_root_prefix} \ %endif --enable-fileinfo=shared \ --with-ffi=shared \ @@ -1493,9 +1476,6 @@ for mod in pgsql odbc ldap snmp xmlrpc \ %if %{with_freetds} pdo_dblib \ %endif -%if %{with_recode} - recode \ -%endif %if %{with_zip} zip \ %endif @@ -1770,9 +1750,6 @@ fi %files pspell -f files.pspell %files intl -f files.intl %files process -f files.process -%if %{with_recode} -%files recode -f files.recode -%endif %if %{with_interbase} %files pdo-firebird -f files.pdo_firebird %endif @@ -1794,6 +1771,10 @@ fi %changelog +* Fri Jul 12 2019 Remi Collet - 7.4.0~alpha3-13 +- drop recode extension, moved to php-pecl-recode +- add upstream patch for argon2 password + * Tue Jul 9 2019 Remi Collet - 7.4.0~alpha3-12 - update to 7.4.0alpha3 - drop argon2 dependency using libsodium implementation -- cgit