Skip to content

Split sodium_compat lib to distinguish Util from Polyfill #111

Closed
Closed
Split sodium_compat lib to distinguish Util from Polyfill#111
Labels
enhancementon-roadmapThis is on the PASETO roadmap!
@Slamdunk

Description

@Slamdunk
Slamdunk
opened on Apr 19, 2020

Hi, I've started using this library, and I want only the most modern technologies to be used.
So first I've read the doc, that says in 01-Protocol-Versions:

Version 1 is recommended only for legacy systems that cannot use modern cryptography.

Nice, I got directly into Version2 so.

After that, I've checked what I can strip out to double-check no old technology is used.

Looking into the composer.json I've found two external dependencies:

  1. phpseclib/phpseclib: only used in V1 and I use V2, so no need for this

    paseto/src/Protocol/Version1.php

    Line 31 in fa662c6

    use phpseclib\Crypt\RSA;
  2. paragonie/sodium_compat: "PHP polyfill for the Sodium cryptography library (libsodium)", but I have libsodium, so no need for this neither

So I've added both dependencies to my composer.json in the replace topic:

    "replace": {
        "paragonie/sodium_compat": "*",
        "phpseclib/phpseclib": "*"
    },

This is a hardcore way to NOT install dependencies I don't want.

I'd expect everything to still work as expected, but when I try to sign a token I get:


  [Error] Class 'ParagonIE_Sodium_Core_Util' not found

#1  /var/www/html/vendor/paragonie/paseto/src/Util.php:120
#2  /var/www/html/vendor/paragonie/paseto/src/Protocol/Version2.php:190
#3  /var/www/html/vendor/paragonie/paseto/src/Builder.php:457

It appears that there are many hard-coded references to the polyfill library:

$ rg ParagonIE_Sodium_ vendor/paragonie/
vendor/paragonie/paseto/src/Util.php
120:        $accumulator = \ParagonIE_Sodium_Core_Util::store64_le(\count($pieces) & PHP_INT_MAX);
123:            $accumulator .= \ParagonIE_Sodium_Core_Util::store64_le($len & PHP_INT_MAX);

vendor/paragonie/paseto/src/Protocol/Version2.php
282:                \ParagonIE_Sodium_Compat::CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES
288:            \ParagonIE_Sodium_Compat::CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES
290:        $ciphertext = \ParagonIE_Sodium_Compat::crypto_aead_xchacha20poly1305_ietf_encrypt(
336:            \ParagonIE_Sodium_Compat::CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES
340:            \ParagonIE_Sodium_Compat::CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES,
341:            $len - \ParagonIE_Sodium_Compat::CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES
343:        return \ParagonIE_Sodium_Compat::crypto_aead_xchacha20poly1305_ietf_decrypt(

I may appear paranoid, but I'd prefer to rely on an extension much more than a library.

So, what I'm asking here (maybe wrong place, but this all started here):

  1. May we have a separate package for ParagonIE_Sodium_Core_Util which, except for ParagonIE_Sodium_Compat::$fastMult, isn't strictly related to libsodium?
  2. May we use libsodium constants/functions in this library, and update paragonie/sodium_compat to be a proper polyfill, which in theory should not autoload anything where libsodium is present? Solved by Refer to libsodium constants and functions #112

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementon-roadmapThis is on the PASETO roadmap!

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions