4

I recently installed PHP 7.3.6 through Plesk's web GUI for a development copy of a web app, as I intend to update our production environment from php 7.0 to 7.3. I decided to take the opportunity to upgrade our password hashing from PBKDF2 to Argon2ID since the PHP core has it already included. I was surprised to get a warning stating that the PASSWORD_ARGON2ID constant is undefined, since I understand it was added in php 7.3.0.

I tried searching for any instance of this error and the only thing I found that was relevant was this undetailed post in a Laravel forum:

https://laracasts.com/discuss/channels/laravel/use-of-undefined-constant-password-argon2id-assumed-password-argon2id?page=1

The application is hosted on a shared vps with MediaTemple. Centos 7, using nginx as a reverse proxy over Apache. It is a subdomain for development running 7.3.6 along side the main domain which is running the production version of the app, 7.0.33. 

$this->password = password_hash('password123', PASSWORD_ARGON2ID, array('time_cost' => 10, 'memory_cost' => '2048k', 'threads' => 6));

I expected the PASSWORD_ARGON2ID constant to be defined but it was reported as undefined:

Use of undefined constant PASSWORD_ARGON2ID - assumed 'PASSWORD_ARGON2ID' (this will throw an Error in a future version of PHP)
Machavity
  • 28,730
  • 25
  • 78
  • 91
Matt Aikens
  • 69
  • 2
  • 11
  • 5
    *This algorithm is only available if PHP has been compiled with Argon2 support.* - https://www.php.net/manual/en/function.password-hash.php – Dharman Jun 07 '19 at 15:49
  • Possible duplicate of [How do I use the Argon2 algorithm with password\_hash?](https://stackoverflow.com/questions/47602044/how-do-i-use-the-argon2-algorithm-with-password-hash) – miken32 Jun 07 '19 at 16:38

2 Answers2

5

This algorithm is only available if PHP has been compiled with Argon2 support. - password_hash

If you want to use it whenever it is available, I would recommend to check with defined or else fallback to a default algorithm.

if(defined('PASSWORD_ARGON2ID')) {
    $hash = password_hash('password123', PASSWORD_ARGON2ID, array('time_cost' => 10, 'memory_cost' => '2048k', 'threads' => 6));
} else {
    $hash = password_hash('password123', PASSWORD_DEFAULT, array('time_cost' => 10, 'memory_cost' => '2048k', 'threads' => 6));
}
Dharman
  • 21,838
  • 18
  • 57
  • 107
  • Thanks. I assumed Plesk would have compiled PHP with Argon2 support by the time they released 7.3 but I guess that's not the case. Anyone using Plesk to install / upgrade PHP will not have the option to use Argon2 unless they recompile PHP 7.2/7.3 with the option --with-password-argon2 – Matt Aikens Jun 07 '19 at 16:13
  • +1 well, this is a good solution if someone did not want to stuck and waste time in installing aragon2i. – Hafiz Siddiq Sep 14 '19 at 08:37
  • can confirm that you need at least PHP 7.3 to have Argon2 support – OzzyTheGiant Jun 23 '20 at 23:51
2

I managed to get rid of the warning by installing module sodium.

debian / ubuntu: sudo apt-get install php-sodium

centos/rhel: sudo yum install php-sodium

Rizky Arlin
  • 313
  • 1
  • 10