Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Argument 1 must be at least CRYPTO_SIGN_BYTES long #127

Closed
akjeldsen opened this issue Mar 15, 2021 · 5 comments
Closed

Argument 1 must be at least CRYPTO_SIGN_BYTES long #127

akjeldsen opened this issue Mar 15, 2021 · 5 comments

Comments

@akjeldsen
Copy link

SodiumException
Argument 1 must be at least CRYPTO_SIGN_BYTES long.
/var/www/html/limesurvey/application/third_party/sodium_compat/src/Compat.php(2069)

PHP version: 7.4.15
We get this error when using Limesurvey with new PHP 7.4.15. Any ideas what we could be missing here?
@pathros
Copy link

pathros commented Jun 4, 2021
edited
Loading

I am using latest version of Limesurvey 5.0.1.

I created a new survey, which I want it to be anonymous but with a list of participants. I have created tokens and sent them to the participants. However, when they click on the invitation link, they get the following error:

Server error 500: Argument 1 must be at least CRYPTO_SIGN_BYTES long.

Taking a look into the source code, right at the "compat.php" file we have (line 2878):

const CRYPTO_SIGN_BYTES = 64;

//....

/* Input validation: */
if (ParagonIE_Sodium_Core_Util::strlen($signedMessage) < self::CRYPTO_SIGN_BYTES)
{
   throw new SodiumException('Argument 1 must be at least CRYPTO_SIGN_BYTES long.');
}

In Limesurvey, if I attempt to set a 64 token long, it changes it to 15.
So, I don't get it. What should be longer than 64?

What does that mean??? How can I fix it??? Can anybody shed some light?

I have tried the same thing in Limesurvey version 3 LTS, and everything works flawlessly. However, I want to use the version 5, since it has the ability to encryt the email addresses.

@paragonie-security
Copy link
Contributor

What does that mean??? How can I fix it??? Can anybody shed some light?

It sounds like Limesurvey has a bug in their code that uses sodium_compat rather than a sodium_compat bug.

https://github.com/LimeSurvey/LimeSurvey/blob/1a013ec45e0336650560d078a3038b05c7bb4135/application/core/LSSodium.php#L88-L128

Weirdly, their function claims to be "encryption" but isn't.

We recommend talking to the Limesurvey developers. Paragon Initiative Enterprises does not develop or support Limesurvey.

@olleharstedt
Copy link

Weirdly, their function claims to be "encryption" but isn't.

Hi! I'm a developer for LimeSurvey. Do you have time to elaborate on this comment?

@paragonie-security
Copy link
Contributor

I'm not sure what's unclear.

The docblock says:

Encrypt input data using AES256 CBC encryption

The functions name is encrypt()

It uses crypto_sign, which is a digital signature, not encryption.

Read this blog post for a deeper understanding of the concepts: https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded

@olleharstedt
Copy link

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@olleharstedt @pathros @paragonie-security @akjeldsen