919439 – dev-lang/php: Support using system libcrypt/libxcrypt for better hashes

Bug 919439 - dev-lang/php: Support using system libcrypt/libxcrypt for better hashes

Summary: dev-lang/php: Support using system libcrypt/libxcrypt for better hashes

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	PHP Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-12-08 09:02 UTC by Hanno Böck
Modified:	2023-12-08 13:50 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2023-12-08 09:02:37 UTC

Gentoo's PHP package is currently not using the system's libcrypt (at least with glibc systems) for the crypt() password hashing function.

libcrypt is provided by libxcrypt on modern systems. The trend appears to be to move to yescrypt for modern crypt-type hashes, which PHP's internal crypt function does not support. It would therefore be desirable to support using an external libcrypt aka libxcrypt.

The configure script has a switch --with-external-libcrypt which the current ebuild does not use. However, it still has a dependency on virtual/libcrypt.

It appears this dependency was added due to bug #908674 - which implies on musl-systems php automatically uses the system's libxcrypt. (I have no musl system at hand to test this.) On my glibc system I can say that php does not link against libcrypt.

I'm not sure if --with-external-libcrypt is stable enough to support unconditionally, or if it'd be better to have it behind a use flag. But it'd be good to support it in some way.

Comment 1 Larry the Git Cow gentoo-dev

2023-12-08 13:48:28 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f3dcbee1d366757fc869fa365717a7d31bae7c1

commit 3f3dcbee1d366757fc869fa365717a7d31bae7c1
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2023-12-08 13:42:33 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2023-12-08 13:46:42 +0000

    dev-lang/php: always use the system libcrypt
    
    Unbundling things has inherent value, but this in particular should lead
    to better security. Thanks to hanno for noticing that it wasn't default!
    
    The removal of --enable-ipv6 is unrelated and should be a no-op since we
    append $(use_enable ipv6) to our econf args later on.
    
    Closes: https://bugs.gentoo.org/919439
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-lang/php/{php-8.2.13.ebuild => php-8.2.13-r1.ebuild} | 2 +-
 dev-lang/php/{php-8.3.0.ebuild => php-8.3.0-r1.ebuild}   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comment 2 Michael Orlitzky gentoo-dev

2023-12-08 13:50:24 UTC

(In reply to Hanno Böck from comment #0)
> 
> I'm not sure if --with-external-libcrypt is stable enough to support
> unconditionally, or if it'd be better to have it behind a use flag.

Tests pass. YOLO.