-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sodium_memzero()/sodium_increment() polyfills behave incorrectly when libsodium-php 1.x is available #73
Comments
Pass the value by reference to \Sodium\memzero() and ensure the value seems to have been wiped to not silent an issue. Related to paragonie#73.
Thanks for the excellent report and the fix. I'm going to be tagging/releasing a new version tonight. 👍 |
Hi, Thanks for your work! I still think there is an issue with I did not took the time to do further investigations yet, either I miss something related to my environment or there is something subtle at play here. |
Hi, So it seems there is really an issue not related to my environnement, the following crappy Dockerfile can be used to reproduce: FROM php:5.6.37
RUN apt-get -y update \
&& apt-get -y install libsodium-dev \
&& pecl install libsodium-1.0.7 \
&& docker-php-ext-enable libsodium
WORKDIR /root/sodium_compat
RUN apt-get -y install unzip \
&& php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
&& php -r "if (hash_file('SHA384', 'composer-setup.php') === '544e09ee996cdf60ece3804abc52599c22b1f40f4323403c44d44fdfdd586475ca9813a858088ffbc1f233e9b180f061') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" \
&& php composer-setup.php \
&& php -r "unlink('composer-setup.php');" \
&& php composer.phar require paragonie/sodium_compat:1.6.4 \
&& { \
echo '<?php'; \
echo 'require_once __DIR__ . "/vendor/autoload.php";'; \
echo '$str = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);'; \
echo 'var_dump(sodium_bin2hex($str));'; \
echo 'sodium_increment($str);'; \
echo 'var_dump(sodium_bin2hex($str));'; \
} > compat_increment.php \
&& { \
echo '<?php'; \
echo 'require_once __DIR__ . "/vendor/autoload.php";'; \
echo '$str = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);'; \
echo 'var_dump(sodium_bin2hex($str));'; \
echo 'Sodium\increment($str);'; \
echo 'var_dump(sodium_bin2hex($str));'; \
} > increment.php \
&& { \
echo '#!/bin/sh'; \
echo 'set -ex'; \
echo 'php ./compat_increment.php'; \
echo 'php -n ./compat_increment.php'; \
echo 'php ./increment.php'; \
} > run.sh \
&& chmod +x run.sh
CMD /root/sodium_compat/run.sh
The first script executed uses So it seems there is an issue with sodium_compat but I'm not sure to understand why you have done in bbb7fac does not work. |
sodium_memzero()
andsodium_increment()
both work with the reference of their parameter, when using libsodium-php 1.x the parameter is not passed as reference. This is due to the usage ofcall_user_func()
to call the "real" functions of php-libsodium from the polyfill.For
sodium_memzero()
that means the content of the string is not wiped and no error, warning or exception is thrown.For
sodium_increment()
that means the value is not incremented.I initially thought that
sodium_increment()
was generating a fatal error instead of silently doing nothing but my initial test case was too simple and was hitting this error of libsodium: https://github.com/jedisct1/libsodium-php/blob/1.0.7/libsodium.c#L480Both cases have been reproduced with the following environment:
Linux
PHP 5.6.37
libsodium-php 1.0.7
sodium_compat 1.6.3
The text was updated successfully, but these errors were encountered: