libsodium requires shell access to server

[geir54]

Installing libsodium requires shell access to server. This will severely limit projects that can use the library. A more interesting solution would be to implement ECC25519 in pure PHP.

[trianglman]

Yes it is. Also, if you're following the discussion on grc.com, I found that the php-sodium library doesn't include the verify signature functions, just encrypt and decrypt.

I am working on porting the python ED25519 implementation into PHP, but running into a couple snags (PHP has a few tricks you need to do to perform math with 256 bit integers). I should have an, admittedly slow, implementation up in the next couple days once I get some tests to pass.

I'll push up what I have so far tonight if you'd like to fork it and take a look yourself.

[geir54]

O nice, started doing that myself 2 min ago (stopping now) :) Btw I have a java port that I'm working on for the android client https://github.com/geir54/ed25519-java. See if you find it useful.

Please push your code and I'll help if I get time :)

[timnolte]

@trianglman is the project still dependent on the libsodium extension? I've been hesitant to put serious effort into the WordPress plugin in the fear that there would be too many cases where the plugin couldn't be used due to this library dependency.

[trianglman]

Libsodium is no longer the only option. My EllipticCurveSignature PECL package https://github.com/trianglman/ellipticCurveSignature can also be used, which only has a soft dependency on OpenSSL (it's not necessary, but does improve performance), however you do still need to get a PECL package installed. Some shared host environments do allow local installation of PECL packages (StackOverflow has good information on how to do that here http://stackoverflow.com/questions/10907679/install-with-pecl-to-local-dir-on-shared-hosting) The PHP only ED25519 code is a third option, but the processing time it takes to do each authentication is really a bit too much to be worthwhile in any production environment.

Depending on the server environment, it may also be possible to include the Python library and call it from a PHP script. I haven't worked on a validator interface to do this, but it should be fairly simple. (https://github.com/trianglman/sqrl/blob/master/src/Trianglman/Sqrl/EcEd25519NonceValidator.php is an example that uses EllipticCurveSignature)

[timnolte]

So I just saw some talk that as of PHP 7.2 libsodium may in fact be included. Also, given that WordPress plugins can call out the minimum PHP version, and of course you can do a check and prevent plugin activation if the PHP version isn't met, then I might actually be able to move in the WordPress plugin for SQRL.

[trianglman]

Libsodium is included in PHP 7.2, but it does have to be compiled in (or included as a separate yum/apt/etc. package. I strongly recommend using PHP 7.2+ and when I started rebuilding the code almost a year ago I updated SodiumNonceValidator.php and moved all of the tests to use the new sodium functionality. I had also updated the Composer file to require at least PHP 7.2.

The other ED25519 options are still in the code base in case an older version of PHP needs to be supported, but since 5.6 is past EOL, I don't expect I'll update those any time soon.

[rwese]

@geir54 if you don't mind closing this issue? as said, php 5 is EOL and building support for it is a futile effort.