How upgrade PHP extension (Libsodium)

Question

I'm using Libsodium-PHP, and I'm seeing that the ParagonIE_Sodium_Compat::crypto_pwhash function produces different results (with the same arguments) when called from the command line versus when called from within the app running on PHP-FPM.

This tutorial says:

Just make sure you install your OS's equivalent of the php7.2-sodium package when you're installing PHP, and all these steps should be taken care of for you.

phpinfo(); shows:

sodium support  enabled
sodium compiled version 2.0.12
libsodium headers version   1.0.11
libsodium library version   1.0.11

But for CLI, it shows:

sodium support => enabled
libsodium headers version => 1.0.16
libsodium library version => 1.0.16

My assumption is that the differing Libsodium versions could be what is causing the crypto_pwhash function to produce different results.

So how can I upgrade the Libsodium extension from 1.0.11 to 1.0.16?

P.S. I know that the CLI version of crypto_pwhash is producing the output that I want because it matches the output of Libsodium-js (demo fiddle here).

Martin Zeitler · Answer 1 · 2018-09-25T16:08:11.447

2

libsodium and libsodium-php are not the same thing.

in order to upgrade that, you would have to build libsodium-php from source

and link it against libsodium headers & library at version 1.0.16.

while the maintainer of php7.2-sodium apparently linked it against 1.0.11 -

possibly even /etc/php.d and /etc/php-cli.d might reference different modules

if libsodium-php had been installed with with a package manager or pecl; better first uninstall that - then you could attempt to build libsodium-php from source (yum install php-devel re2c first):

...
cd libsodium-1.0.16
sudo cp ./src/libsodium/.libs/libsodium.so.23 /usr/lib64/libsodium.so.23
sudo cp ./src/libsodium/.libs/libsodium.so.23.1.0 /usr/lib64/libsodium.so.23.1.0

cd ..
git clone https://github.com/jedisct1/libsodium-php.git
cd libsodium-php
phpize
./configure --help
./configure
make
# sudo make install

sudo cp ./modules/sodium.so /usr/lib64/php/modules/sodium.so
# sudo cp ./modules/sodium.so /usr/lib64/php-zts/modules/sodium.so

sudo echo "extension=sodium.so" > /etc/php-cli.d/sodium.ini
sudo cp /etc/php-cli.d/sodium.ini /etc/php.d/sodium.ini
# sudo cp /etc/php-cli.d/sodium.ini /etc/php-zts.d/sodium.ini
sudo systemctl restart httpd.service

php -r "phpinfo();" | grep sodium
/etc/php-cli.d/sodium.ini,
sodium support => enabled
sodium compiled version => 2.0.12
libsodium headers version => 1.0.16
libsodium library version => 1.0.16

after manually installing it for CLI & SAPI ...I've found the docs for pecl-libsodium; which tell the same:

If you get different numbers, you won't have access to some of the features that should be in libsodium 1.0.14. If you need them, you'll need to go through the ritual of compiling from source instead (shown above).

still could not get it working for zts (thread-safe); those paths should be fpm (non thread-safe) on your system (and one can link it against the default PHP headers; no patching should be required)... nevertheless, both php-cli and php-fpm need to be considered, when adding modules and .ini.

edited Sep 25 '18 at 16:08

answered Sep 25 '18 at 01:05

Martin Zeitler

49,224
12
97
156

one could even workaround with `shell_exec()` running `php` in the CLI, instead of the SAPI. – Martin Zeitler Sep 25 '18 at 01:48
Thanks, but I don't understand a few things. How does my one machine have both 1.0.11 and 1.0.16 (one for FPM and one for CLI)? How did I get 1.0.16 at all, given that I never compiled anything? And what exactly are you saying I should do to upgrade the FPM one? – Ryan Sep 25 '18 at 14:07
@Ryan https://stackoverflow.com/questions/1993390/static-linking-vs-dynamic-linking ...might explain the reason; if both are statically linked, this is entirely possible. building from source and linking against the latest headers/library should result in two equal versions. why exactly the CLI and SAPI display different numbers is hard to tell, unless inspecting all php.ini files. – Martin Zeitler Sep 25 '18 at 14:16
It seems that regular Libsodium is coded in C rather than PHP, and its latest version is 1.0.16 (https://github.com/jedisct1/libsodium/releases). And my CLI somehow uses that, even though I don't understand how PHP and C work together. My PHP-FPM, on the other hand, seems to point to Libsodium-php (and uses the most recent version of it, 2.0.12 https://github.com/jedisct1/libsodium-php/releases) and also seems somehow connect to a stale 1.0.11 version of regular Libsodium. How can I uninstall Libsodium-php from my PHP-FPM & then hook it up to the 1.0.16 version of Libsodium instead of 1.0.11? – Ryan Sep 25 '18 at 14:17
1

@Ryan these modules are never coded in PHP. while I've added the script to build from source; along with further documentation. to uninstall, this depends how it had been installed. you could just do a `locate sodium.so` and then `rm` ... if not PHP had already been compiled with it; which one can see in `phpinfo()`, under "Configure Command"... `pecl uninstall libsodium && pecl install libsodium` might be yet another approach. – Martin Zeitler Sep 25 '18 at 16:21
Thanks, I'll try this! – Ryan Sep 25 '18 at 17:06

How upgrade PHP extension (Libsodium)

1 Answers1