1990844 – RFE: Please enable libsodium support in php

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1990844 - RFE: Please enable libsodium support in php

Summary: RFE: Please enable libsodium support in php

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	php
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Remi Collet
QA Contact:	rhel-cs-infra-services-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-06 12:15 UTC by Neal Gompa
Modified:	2021-08-10 15:27 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-08-10 14:24:14 UTC
Type:	Feature Request
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-92656	0	None	None	None	2021-08-06 12:16:03 UTC
Red Hat Issue Tracker	RHELPLAN-92657	0	None	None	None	2021-08-06 12:16:06 UTC

Description Neal Gompa 2021-08-06 12:15:28 UTC

Description of problem:
The PHP stack has libsodium support disabled, which severely cripples or breaks the ability for PHP web applications to do secure password hashing, among other things.

For example, Symfony-based web applications based on Symfony 3.4 can and will use argon2i algorithms[1], and Symfony-based web applications based on Symfony 4.3 can and will use sodium for this[2]. This is required for Symfony's secrets management system[3], too.

Please reconsider and enable the sodium extension in PHP.

[1]: https://symfony.com/blog/new-in-symfony-3-4-argon2i-password-hasher
[2]: https://symfony.com/blog/new-in-symfony-4-3-sodium-password-encoder
[3]: https://symfony.com/doc/current/configuration/secrets.html

Version-Release number of selected component (if applicable):
8.0.6-6.el9

Comment 2 Josh Boyer 2021-08-06 12:27:42 UTC

libsodium is not part of the CentOS Stream/RHEL content set and has known issues for certification compliance.  It is also identified as an unwanted package in the ELN content resolver:

https://github.com/minimization/content-resolver-input/blob/master/configs/sst_security_crypto-unwanted.yaml

We will not be adding it at this time and therefore PHP cannot enable support for it.

Comment 3 Neal Gompa 2021-08-06 13:06:04 UTC

(In reply to Josh Boyer from comment #2)
> libsodium is not part of the CentOS Stream/RHEL content set and has known
> issues for certification compliance.

The problem with this is that ever since the sodium extension was bundled into PHP with PHP 7.2[1], applications have been increasingly adopting it. And even in the RFC, the PHP community has taken the stance (for better or worse) that OpenSSL does not provide adequate security.

What am I supposed to do when a bundled extension that is now only part of the core and is increasingly required by applications? It's a unique API provided by PHP rather than an implementation detail of some generic API in PHP.

[1]: https://wiki.php.net/rfc/libsodium

Comment 4 Carl Schwan 2021-08-06 16:11:01 UTC

Just to add a comment as a PHP developer (and who encountered this problem today). One problem with not providing php-sodium is that once a database has password hashed with argon2i (for example using remirepo or another Linux distribution), it is then impossible to verify them on a rhel/centos machine with the official repo without installing a polyfill of a dubious quality.

For PHP >= 7.4 having PHP compiled with the libsodium package is not recommended anymore but what is needed to solve the problem is having php-sodium extension at least on epel (and so not officially supported).

Comment 5 Josh Boyer 2021-08-06 17:12:03 UTC

(In reply to Carl Schwan from comment #4)
> Just to add a comment as a PHP developer (and who encountered this problem
> today). One problem with not providing php-sodium is that once a database
> has password hashed with argon2i (for example using remirepo or another
> Linux distribution), it is then impossible to verify them on a rhel/centos
> machine with the official repo without installing a polyfill of a dubious
> quality.
> 
> For PHP >= 7.4 having PHP compiled with the libsodium package is not
> recommended anymore but what is needed to solve the problem is having
> php-sodium extension at least on epel (and so not officially supported).

Thank you for the added data point.  Unfortunately, it is unlikely to change the answer to this RFE.  We can leave the bug open if you'd like, but our intentions are to be as clear as possible that we do not intend to include libsodium in RHEL 9/CentOS Stream 9.

(For future reference on process, this would really need two bugs.  The first against the distribution component to add libsodium, which again will not be added.  Then a bug such as this against PHP to enable the feature.)

Comment 7 Remi Collet 2021-08-09 13:27:58 UTC

(In reply to Carl Schwan from comment #4)

> what is needed to solve the problem is having
> php-sodium extension at least on epel (and so not officially supported).

For now it is no possible to build extensions for modules
https://pagure.io/epel/issue/75

For EPEL-8 this is a major blocker.

For EPEL-9 things could seem better as php is no more a module
so it will be possible to provide php-sodium there.

But only for default PHP version 8.0, not for possible future
versions probably shipped as modules. So can be considered as
worst, as using extensions from EPEL will forbid the update
to any newer versions.


BTW, workaround exists...
(other 3rd party repo, of course unsupported)

Comment 8 Joe Orton 2021-08-10 14:24:14 UTC

Reopening this will not change the fact that libsodium will not ship in RHEL9.

At some point OpenSSL will hopefully ship an argon implementation and that can become accessible via PHP in RHEL. That is not planned for 3.0.0 so is also unlikely to happen for RHEL 9.0.  When there is a feasible route to supporting Argon in PHP let's track that.

Note You need to log in before you can comment on or make changes to this bug.