Skip to content
This repository has been archived by the owner on Oct 6, 2021. It is now read-only.

Sodium Error in Set Up Your Administrator Account step #56

Closed
1 task
co60ca opened this issue Jun 30, 2016 · 6 comments
Closed
1 task

Sodium Error in Set Up Your Administrator Account step #56

co60ca opened this issue Jun 30, 2016 · 6 comments
Labels
bug ux
Milestone
Version 1.1.0

Comments

@co60ca
Copy link
Contributor

co60ca commented Jun 30, 2016

  • Check this box if this is a security vulnerability.

Summary

From the docker image in #55 if you use:

host: localhost
user: airship
password: secret
database: airship

for the Database setup screen then use seemingly any username/password combination for the step in question you will get a 500 error and the following message in error.log in apache.

[Thu Jun 30 22:00:53.693308 2016] [:error] [pid 20] [client 192.168.2.146:35356] PHP Fatal error:  Uncaught Error: Undefined constant 'Sodium\\CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE' in /var/www/airship/vendor/paragonie/halite/src/KeyFactory.php:344\nStack trace:\n#0 /var/www/airship/vendor/paragonie/halite/src/Password.php(30): ParagonIE\\Halite\\KeyFactory::getSecurityLevels('interactive')\n#1 /var/www/airship/src/Installer/Install.php(235): ParagonIE\\Halite\\Password::hash('areallyfuckingl...', Object(ParagonIE\\Halite\\Symmetric\\EncryptionKey))\n#2 /var/www/airship/src/Installer/Install.php(115): Airship\\Installer\\Install->processAdminAccount(Array)\n#3 /var/www/airship/src/Installer/launch.php(171): Airship\\Installer\\Install->currentStep()\n#4 /var/www/airship/src/public/index.php(26): include('/var/www/airshi...')\n#5 {main}\n  thrown in /var/www/airship/vendor/paragonie/halite/src/KeyFactory.php on line 344, referer: http://appserv-ub03:8080/

Expected Outcome

Move onto the next setup screen

What Actually Happened

500 server error.

Also it appears the password is leaked here again 'areallyfuckingl...'
@paragonie-scott
Copy link
Member

Yeah, the HiddenString thing isn't part of Halite. I'll probably add that in version 3.

Anyway, run this:

<?php
use \ParagonIE\Halite\Halite;

// TRUE enables verbose output:
Halite::isLibsodiumSetupCorrectly(true);

@paragonie-scott
Copy link
Member

paragonie-scott commented Jul 1, 2016
edited
Loading

414c3b5 will kill the installer if you're using libsodium v1.0.8, which is what I believe libsodium-dev provides currently.

There's a reason the documentation explicitly compiles from source. :(

(Passing true to that static method causes it to print out why it's failing.)

@paragonie-scott paragonie-scott added this to the Version 1.1.0 milestone Jul 1, 2016
@co60ca
Copy link
Contributor Author

co60ca commented Jul 1, 2016
edited
Loading

I'll give the setup a shot again with the previous instructions. I saw the error, and we should consider having a special "error" page like all the CMS's have.

UI consideration

@paragonie-scott
Copy link
Member

Good idea! This will probably become a frequent problem until Debian/Ubuntu get their act together with security libraries.

@paragonie-scott
Copy link
Member

e41b959

@paragonie-scott
Copy link
Member

I believe this is okay to close. If I'm mistaken, feel free to correct me and I'll reopen it.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug ux
Projects
None yet
Milestone
Version 1.1.0
Development

No branches or pull requests
2 participants
@co60ca @paragonie-scott