New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sodium Error in Set Up Your Administrator Account step #56

Closed
co60ca opened this Issue Jun 30, 2016 · 6 comments

Comments

Projects
None yet
2 participants
@co60ca
Contributor

co60ca commented Jun 30, 2016

  • Check this box if this is a security vulnerability.

Summary

From the docker image in #55 if you use:

host: localhost
user: airship
password: secret
database: airship

for the Database setup screen then use seemingly any username/password combination for the step in question you will get a 500 error and the following message in error.log in apache.

[Thu Jun 30 22:00:53.693308 2016] [:error] [pid 20] [client 192.168.2.146:35356] PHP Fatal error:  Uncaught Error: Undefined constant 'Sodium\\CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE' in /var/www/airship/vendor/paragonie/halite/src/KeyFactory.php:344\nStack trace:\n#0 /var/www/airship/vendor/paragonie/halite/src/Password.php(30): ParagonIE\\Halite\\KeyFactory::getSecurityLevels('interactive')\n#1 /var/www/airship/src/Installer/Install.php(235): ParagonIE\\Halite\\Password::hash('areallyfuckingl...', Object(ParagonIE\\Halite\\Symmetric\\EncryptionKey))\n#2 /var/www/airship/src/Installer/Install.php(115): Airship\\Installer\\Install->processAdminAccount(Array)\n#3 /var/www/airship/src/Installer/launch.php(171): Airship\\Installer\\Install->currentStep()\n#4 /var/www/airship/src/public/index.php(26): include('/var/www/airshi...')\n#5 {main}\n  thrown in /var/www/airship/vendor/paragonie/halite/src/KeyFactory.php on line 344, referer: http://appserv-ub03:8080/

Expected Outcome

Move onto the next setup screen

What Actually Happened

500 server error.

Also it appears the password is leaked here again 'areallyfuckingl...'

@paragonie-scott

This comment has been minimized.

Show comment
Hide comment
@paragonie-scott

paragonie-scott Jul 1, 2016

Member

Yeah, the HiddenString thing isn't part of Halite. I'll probably add that in version 3.

Anyway, run this:

<?php
use \ParagonIE\Halite\Halite;

// TRUE enables verbose output:
Halite::isLibsodiumSetupCorrectly(true);
Member

paragonie-scott commented Jul 1, 2016

Yeah, the HiddenString thing isn't part of Halite. I'll probably add that in version 3.

Anyway, run this:

<?php
use \ParagonIE\Halite\Halite;

// TRUE enables verbose output:
Halite::isLibsodiumSetupCorrectly(true);
@paragonie-scott

This comment has been minimized.

Show comment
Hide comment
@paragonie-scott

paragonie-scott Jul 1, 2016

Member

414c3b5 will kill the installer if you're using libsodium v1.0.8, which is what I believe libsodium-dev provides currently.

There's a reason the documentation explicitly compiles from source. :(

(Passing true to that static method causes it to print out why it's failing.)

Member

paragonie-scott commented Jul 1, 2016

414c3b5 will kill the installer if you're using libsodium v1.0.8, which is what I believe libsodium-dev provides currently.

There's a reason the documentation explicitly compiles from source. :(

(Passing true to that static method causes it to print out why it's failing.)

@paragonie-scott paragonie-scott added this to the Version 1.1.0 milestone Jul 1, 2016

@co60ca

This comment has been minimized.

Show comment
Hide comment
@co60ca

co60ca Jul 1, 2016

Contributor

I'll give the setup a shot again with the previous instructions. I saw the error, and we should consider having a special "error" page like all the CMS's have.

UI consideration

Contributor

co60ca commented Jul 1, 2016

I'll give the setup a shot again with the previous instructions. I saw the error, and we should consider having a special "error" page like all the CMS's have.

UI consideration

@paragonie-scott

This comment has been minimized.

Show comment
Hide comment
@paragonie-scott

paragonie-scott Jul 1, 2016

Member

Good idea! This will probably become a frequent problem until Debian/Ubuntu get their act together with security libraries.

Member

paragonie-scott commented Jul 1, 2016

Good idea! This will probably become a frequent problem until Debian/Ubuntu get their act together with security libraries.

@paragonie-scott

This comment has been minimized.

Show comment
Hide comment
@paragonie-scott
Member

paragonie-scott commented Jul 1, 2016

@paragonie-scott

This comment has been minimized.

Show comment
Hide comment
@paragonie-scott

paragonie-scott Jul 1, 2016

Member

I believe this is okay to close. If I'm mistaken, feel free to correct me and I'll reopen it.

Member

paragonie-scott commented Jul 1, 2016

I believe this is okay to close. If I'm mistaken, feel free to correct me and I'll reopen it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment