Merge pull request #521 from infosiftr/argon2

tianon · web-flow · commit 4d3ca8edc5b7 · 2017-11-15T09:36:53.000-08:00
Add Argon2 password hashing
diff --git a/7.2-rc/stretch/apache/Dockerfile b/7.2-rc/stretch/apache/Dockerfile
@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \
 		$PHPIZE_DEPS \
 		ca-certificates \
 		curl \
+		libargon2-0 \
 		libedit2 \
 		libsqlite3-0 \
 		libxml2 \
@@ -153,6 +154,7 @@ COPY docker-php-source /usr/local/bin/
 RUN set -xe \
 	&& buildDeps=" \
 		$PHP_EXTRA_BUILD_DEPS \
+		libargon2-0-dev \
 		libcurl4-openssl-dev \
 		libedit-dev \
 		libsqlite3-dev \
@@ -186,6 +188,8 @@ RUN set -xe \
 		--enable-mbstring \
 # --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself)
 		--enable-mysqlnd \
+# https://wiki.php.net/rfc/argon2_password_hash (7.2+)
+		--with-password-argon2 \
 		\
 		--with-curl \
 		--with-libedit \
diff --git a/7.2-rc/stretch/cli/Dockerfile b/7.2-rc/stretch/cli/Dockerfile
@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \
 		$PHPIZE_DEPS \
 		ca-certificates \
 		curl \
+		libargon2-0 \
 		libedit2 \
 		libsqlite3-0 \
 		libxml2 \
@@ -94,6 +95,7 @@ COPY docker-php-source /usr/local/bin/
 RUN set -xe \
 	&& buildDeps=" \
 		$PHP_EXTRA_BUILD_DEPS \
+		libargon2-0-dev \
 		libcurl4-openssl-dev \
 		libedit-dev \
 		libsqlite3-dev \
@@ -127,6 +129,8 @@ RUN set -xe \
 		--enable-mbstring \
 # --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself)
 		--enable-mysqlnd \
+# https://wiki.php.net/rfc/argon2_password_hash (7.2+)
+		--with-password-argon2 \
 		\
 		--with-curl \
 		--with-libedit \
diff --git a/7.2-rc/stretch/fpm/Dockerfile b/7.2-rc/stretch/fpm/Dockerfile
@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \
 		$PHPIZE_DEPS \
 		ca-certificates \
 		curl \
+		libargon2-0 \
 		libedit2 \
 		libsqlite3-0 \
 		libxml2 \
@@ -95,6 +96,7 @@ COPY docker-php-source /usr/local/bin/
 RUN set -xe \
 	&& buildDeps=" \
 		$PHP_EXTRA_BUILD_DEPS \
+		libargon2-0-dev \
 		libcurl4-openssl-dev \
 		libedit-dev \
 		libsqlite3-dev \
@@ -128,6 +130,8 @@ RUN set -xe \
 		--enable-mbstring \
 # --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself)
 		--enable-mysqlnd \
+# https://wiki.php.net/rfc/argon2_password_hash (7.2+)
+		--with-password-argon2 \
 		\
 		--with-curl \
 		--with-libedit \
diff --git a/7.2-rc/stretch/zts/Dockerfile b/7.2-rc/stretch/zts/Dockerfile
@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \
 		$PHPIZE_DEPS \
 		ca-certificates \
 		curl \
+		libargon2-0 \
 		libedit2 \
 		libsqlite3-0 \
 		libxml2 \
@@ -95,6 +96,7 @@ COPY docker-php-source /usr/local/bin/
 RUN set -xe \
 	&& buildDeps=" \
 		$PHP_EXTRA_BUILD_DEPS \
+		libargon2-0-dev \
 		libcurl4-openssl-dev \
 		libedit-dev \
 		libsqlite3-dev \
@@ -128,6 +130,8 @@ RUN set -xe \
 		--enable-mbstring \
 # --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself)
 		--enable-mysqlnd \
+# https://wiki.php.net/rfc/argon2_password_hash (7.2+)
+		--with-password-argon2 \
 		\
 		--with-curl \
 		--with-libedit \
diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template
@@ -16,6 +16,7 @@ RUN apt-get update && apt-get install -y \
 		$PHPIZE_DEPS \
 		ca-certificates \
 		curl \
+		libargon2-0 \
 		libedit2 \
 		libsqlite3-0 \
 		libxml2 \
@@ -88,6 +89,7 @@ COPY docker-php-source /usr/local/bin/
 RUN set -xe \
 	&& buildDeps=" \
 		$PHP_EXTRA_BUILD_DEPS \
+		libargon2-0-dev \
 		libcurl4-openssl-dev \
 		libedit-dev \
 		libsqlite3-dev \
@@ -121,6 +123,8 @@ RUN set -xe \
 		--enable-mbstring \
 # --enable-mysqlnd is included here because it's harder to compile after the fact than extensions are (since it's a plugin for several extensions, not an extension in itself)
 		--enable-mysqlnd \
+# https://wiki.php.net/rfc/argon2_password_hash (7.2+)
+		--with-password-argon2 \
 		\
 		--with-curl \
 		--with-libedit \
diff --git a/update.sh b/update.sh
@@ -52,6 +52,12 @@ travisEnv=
 for version in "${versions[@]}"; do
 	rcVersion="${version%-rc}"
 
+	# "7", "5", etc
+	majorVersion="${rcVersion%%.*}"
+	# "2", "1", "6", etc
+	minorVersion="${rcVersion#$majorVersion.}"
+	minorVersion="${minorVersion%%.*}"
+
 	# scrape the relevant API based on whether we're looking for pre-releases
 	apiUrl="https://secure.php.net/releases/index.php?json&max=100&version=${rcVersion%%.*}"
 	apiJqExpr='
@@ -150,6 +156,11 @@ for version in "${versions[@]}"; do
 			if [ "$alpineVer" = '3.4' ]; then
 				sed -ri 's!libressl!openssl!g' "$version/$suite/$variant/Dockerfile"
 			fi
+			if [ "$majorVersion" = '5' ] || [ "$majorVersion" = '7' -a "$minorVersion" -lt '2' ] || [ "$suite" = 'jessie' ]; then
+				# argon2 password hashing is only supported in 7.2+ and stretch+
+				sed -ri '/argon2/d' "$version/$suite/$variant/Dockerfile"
+				# Alpine 3.7+ _should_ include an "argon2-dev" package, but we should cross that bridge when we come to it
+			fi
 
 			# automatic `-slim` for stretch
 			# TODO always add slim once jessie is removed
