sodium_memzero()/sodium_increment() polyfills behave incorrectly when libsodium-php 1.x is available #73
Comments
Pass the value by reference to \Sodium\memzero() and ensure the value seems to have been wiped to not silent an issue. Related to paragonie#73.
|
Thanks for the excellent report and the fix. I'm going to be tagging/releasing a new version tonight. 👍 |
|
Hi, Thanks for your work! I still think there is an issue with I did not took the time to do further investigations yet, either I miss something related to my environment or there is something subtle at play here. |
|
Hi, So it seems there is really an issue not related to my environnement, the following crappy Dockerfile can be used to reproduce: FROM php:5.6.37
RUN apt-get -y update \
&& apt-get -y install libsodium-dev \
&& pecl install libsodium-1.0.7 \
&& docker-php-ext-enable libsodium
WORKDIR /root/sodium_compat
RUN apt-get -y install unzip \
&& php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
&& php -r "if (hash_file('SHA384', 'composer-setup.php') === '544e09ee996cdf60ece3804abc52599c22b1f40f4323403c44d44fdfdd586475ca9813a858088ffbc1f233e9b180f061') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" \
&& php composer-setup.php \
&& php -r "unlink('composer-setup.php');" \
&& php composer.phar require paragonie/sodium_compat:1.6.4 \
&& { \
echo '<?php'; \
echo 'require_once __DIR__ . "/vendor/autoload.php";'; \
echo '$str = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);'; \
echo 'var_dump(sodium_bin2hex($str));'; \
echo 'sodium_increment($str);'; \
echo 'var_dump(sodium_bin2hex($str));'; \
} > compat_increment.php \
&& { \
echo '<?php'; \
echo 'require_once __DIR__ . "/vendor/autoload.php";'; \
echo '$str = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);'; \
echo 'var_dump(sodium_bin2hex($str));'; \
echo 'Sodium\increment($str);'; \
echo 'var_dump(sodium_bin2hex($str));'; \
} > increment.php \
&& { \
echo '#!/bin/sh'; \
echo 'set -ex'; \
echo 'php ./compat_increment.php'; \
echo 'php -n ./compat_increment.php'; \
echo 'php ./increment.php'; \
} > run.sh \
&& chmod +x run.sh
CMD /root/sodium_compat/run.shThe first script executed uses So it seems there is an issue with sodium_compat but I'm not sure to understand why you have done in bbb7fac does not work. |
sodium_memzero()andsodium_increment()both work with the reference of their parameter, when using libsodium-php 1.x the parameter is not passed as reference. This is due to the usage ofcall_user_func()to call the "real" functions of php-libsodium from the polyfill.For
sodium_memzero()that means the content of the string is not wiped and no error, warning or exception is thrown.For
sodium_increment()that means the value is not incremented.I initially thought that
sodium_increment()was generating a fatal error instead of silently doing nothing but my initial test case was too simple and was hitting this error of libsodium: https://github.com/jedisct1/libsodium-php/blob/1.0.7/libsodium.c#L480Both cases have been reproduced with the following environment:
Linux
PHP 5.6.37
libsodium-php 1.0.7
sodium_compat 1.6.3
The text was updated successfully, but these errors were encountered: