[#16917] - [3.8] Add SodiumCipher to support libsodium (no polyfill option)
- Closed
- 26 Jul 2017
- Medium
- Build: 3.8-dev
- # 16917
- Diff
- mbabker:sodium-crypt-no-polyfill
- Success hound No violations found. Woof! Details
- Success continuous-integration/drone/pr the build was successful Details
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Success continuous-integration/appveyor/pr AppVeyor build succeeded Details
- Pending continuous-integration/jenkins/pr-merge This commit is being built Details
User tests: Successful: Unsuccessful:
Summary of Changes
This is an alternative to #16754 without support for the polyfill library.
PHP 7.2 will be removing ext/mcrypt from the core distribution and ext/sodium will be added to core as a new encryption library. As the JCryptCipher classes are primarily built around mcrypt (and inherently what is present in PHP core), we should add support for the new library as well.
ext/sodium isn't restricted to PHP 7.2 installations only. There is also a PECL extension providing support for PHP 5.4 through 7.1 and the sodium_compat polyfill providing support down to PHP 5.2.4. The polyfill is not included with this pull request due to concerns expressed with using security related code that had not received a proper audit.
Testing Instructions
The unit test coverage for the class best demonstrates its use:
$cipher = new \Joomla\CMS\Crypt\Cipher\SodiumCipher;
$key = $cipher->generateKey();
$data = 'My encrypted data.';
if (version_compare(PHP_VERSION, '7.2', '>='))
{
$cipher->setNonce(sodium_randombytes_buf(SODIUM_CRYPTO_BOX_NONCEBYTES));
}
else
{
$cipher->setNonce(\Sodium\randombytes_buf(\Sodium\CRYPTO_BOX_NONCEBYTES));
}
$encrypted = $cipher->encrypt($data, $key);
$decrypted = $cipher->decrypt($encrypted, $key);
if ($decrypted !== $data)
{
throw new RuntimeException('The data was not decrypted correctly.');
}One thing to note here. Unlike our other ciphers, a nonce must be set and used for both the encryption and decryption of data, and must be the same value on both ends of the process. Otherwise, this is no different than the existing API.
Documentation Changes Required
Document the added class and its use. Note that use is restricted to PHP 5.4+ and requires the libsodium extension (either from PECL on PHP 5.4 through 7.1 or core PHP on 7.2).
//cc @joomla/security
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Libraries Unit Tests |
| Category | External Library Libraries Unit Tests | ⇒ | External Library Composer Change Libraries Unit Tests |
| Labels |
Added:
?
|
||
I think this can be closed based on the feedback in the other PR?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16917.
Indeed it can be
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-07-26 08:57:35 |
| Closed_By | ⇒ | wilsonge |
Makes sense from our side, +1 from the JSST