Add crypto_stream_xchacha20 to ext/sodium

Paragon Initiative Enterprises is aware of PHP applications that use sodium_compat's ParagonIE\Sodium\Core\XChaCha20 class directly for stream encryption.

Greater performance and security assurance is offered by exposing libsodium's crypto_stream_xchacha20 API to PHP users.

It's acceptable to only include this change in PHP 8.1+; the offending applications are more than welcome to either install ext/sodium from PECL or upgrade to 8.1 when it comes out later this year.

Ref: jedisct1/libsodium-php#211

Author: paragonie-security

ext/sodium/libsodium.c

@@ -335,6 +335,13 @@ PHP_MINIT_FUNCTION(sodium)
 						   crypto_stream_NONCEBYTES, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("SODIUM_CRYPTO_STREAM_KEYBYTES",
 						   crypto_stream_KEYBYTES, CONST_CS | CONST_PERSISTENT);
+
+#ifdef crypto_stream_xchacha20_KEYBYTES
+	REGISTER_LONG_CONSTANT("SODIUM_CRYPTO_STREAM_XCHACHA20_NONCEBYTES",
+						   crypto_stream_xchacha20_NONCEBYTES, CONST_CS | CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("SODIUM_CRYPTO_STREAM_XCHACHA20_KEYBYTES",
+						   crypto_stream_xchacha20_KEYBYTES, CONST_CS | CONST_PERSISTENT);
+#endif
 #ifdef sodium_base64_VARIANT_ORIGINAL
 	REGISTER_LONG_CONSTANT("SODIUM_BASE64_VARIANT_ORIGINAL",
 						   sodium_base64_VARIANT_ORIGINAL, CONST_CS | CONST_PERSISTENT);
@@ -1465,6 +1472,83 @@ PHP_FUNCTION(sodium_crypto_stream_xor)
 	RETURN_NEW_STR(ciphertext);
 }
 
+#ifdef crypto_stream_xchacha20_KEYBYTES
+PHP_FUNCTION(sodium_crypto_stream_xchacha20)
+{
+	zend_string   *ciphertext;
+	unsigned char *key;
+	unsigned char *nonce;
+	zend_long	  ciphertext_len;
+	size_t		 key_len;
+	size_t		 nonce_len;
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "lss",
+							  &ciphertext_len,
+							  &nonce, &nonce_len,
+							  &key, &key_len) == FAILURE) {
+		return;
+	}
+	if (ciphertext_len <= 0 || ciphertext_len >= SIZE_MAX) {
+		zend_throw_exception(sodium_exception_ce, "ciphertext length must be greater than 0", 0);
+		return;
+	}
+	if (nonce_len != crypto_stream_xchacha20_NONCEBYTES) {
+		zend_throw_exception(sodium_exception_ce, "nonce should be SODIUM_CRYPTO_STREAM_XCHACHA20_NONCEBYTES bytes", 0);
+		return;
+	}
+	if (key_len != crypto_stream_xchacha20_KEYBYTES) {
+		zend_throw_exception(sodium_exception_ce, "key should be SODIUM_CRYPTO_STREAM_XCHACHA20_KEYBYTES bytes", 0);
+		return;
+	}
+	ciphertext = zend_string_checked_alloc((size_t) ciphertext_len, 0);
+	if (crypto_stream_xchacha20((unsigned char *) ZSTR_VAL(ciphertext),
+								(unsigned long long) ciphertext_len, nonce, key) != 0) {
+		zend_string_free(ciphertext);
+		zend_throw_exception(sodium_exception_ce, "internal error", 0);
+		return;
+	}
+
+	RETURN_STR(ciphertext);
+}
+
+PHP_FUNCTION(sodium_crypto_stream_xchacha20_xor)
+{
+	zend_string   *ciphertext;
+	unsigned char *key;
+	unsigned char *msg;
+	unsigned char *nonce;
+	size_t		 ciphertext_len;
+	size_t		 key_len;
+	size_t		 msg_len;
+	size_t		 nonce_len;
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "sss",
+	&msg, &msg_len,
+	&nonce, &nonce_len,
+	&key, &key_len) == FAILURE) {
+		return;
+	}
+	if (nonce_len != crypto_stream_xchacha20_NONCEBYTES) {
+		zend_throw_exception(sodium_exception_ce, "nonce should be SODIUM_CRYPTO_STREAM_XCHACHA20_NONCEBYTES bytes", 0);
+		return;
+	}
+	if (key_len != crypto_stream_xchacha20_KEYBYTES) {
+		zend_throw_exception(sodium_exception_ce, "key should be SODIUM_CRYPTO_STREAM_XCHACHA20_KEYBYTES bytes", 0);
+		return;
+	}
+	ciphertext_len = msg_len;
+	ciphertext = zend_string_checked_alloc((size_t) ciphertext_len, 0);
+	if (crypto_stream_xchacha20_xor((unsigned char *) ZSTR_VAL(ciphertext), msg,
+									(unsigned long long) msg_len, nonce, key) != 0) {
+		zend_string_free(ciphertext);
+		zend_throw_exception(sodium_exception_ce, "internal error", 0);
+		return;
+	}
+
+	RETURN_STR(ciphertext);
+}
+#endif
+
 #ifdef crypto_pwhash_SALTBYTES
 PHP_FUNCTION(sodium_crypto_pwhash)
 {
@@ -2894,6 +2978,18 @@ PHP_FUNCTION(sodium_crypto_stream_keygen)
 	randombytes_buf(key, sizeof key);
 	RETURN_STRINGL((const char *) key, sizeof key);
 }
+#ifdef crypto_stream_xchacha20_KEYBYTES
+PHP_FUNCTION(sodium_crypto_stream_xchacha20_keygen)
+{
+	unsigned char key[crypto_stream_xchacha20_KEYBYTES];
+
+	if (zend_parse_parameters_none() == FAILURE) {
+		return;
+	}
+	randombytes_buf(key, sizeof key);
+	RETURN_STRINGL((const char *) key, sizeof key);
+}
+#endif
 
 PHP_FUNCTION(sodium_crypto_kdf_derive_from_key)
 {

ext/sodium/libsodium.stub.php

@@ -160,6 +160,12 @@ function sodium_crypto_stream_keygen(): string {}
 
 function sodium_crypto_stream_xor(string $message, string $nonce, string $key): string {}
 
+function sodium_crypto_stream_xchacha20(int $length, string $nonce, string $key) : string {}
+
+function sodium_crypto_stream_xchacha20_keygen() : string {}
+
+function sodium_crypto_stream_xchacha20_xor(string $message, string $nonce, string $key) : string {}
+
 function sodium_add(string &$string1, string $string2): void {}
 
 function sodium_compare(string $string1, string $string2): int {}

ext/sodium/libsodium_arginfo.h

@@ -348,6 +348,11 @@ ZEND_END_ARG_INFO()
 
 #define arginfo_sodium_crypto_stream_xor arginfo_sodium_crypto_secretbox
 
+#ifdef crypto_stream_xchacha20_KEYBYTES
+#define arginfo_sodium_crypto_stream_xchacha20_xor arginfo_sodium_crypto_stream_xor
+#define arginfo_sodium_crypto_stream_xchacha20 arginfo_sodium_crypto_stream
+#endif
+
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_sodium_add, 0, 2, IS_VOID, 0)
 	ZEND_ARG_TYPE_INFO(1, string1, IS_STRING, 0)
 	ZEND_ARG_TYPE_INFO(0, string2, IS_STRING, 0)
@@ -514,6 +519,11 @@ ZEND_FUNCTION(sodium_crypto_sign_verify_detached);
 ZEND_FUNCTION(sodium_crypto_stream);
 ZEND_FUNCTION(sodium_crypto_stream_keygen);
 ZEND_FUNCTION(sodium_crypto_stream_xor);
+#if defined(crypto_stream_xchacha20_KEYBYTES)
+ZEND_FUNCTION(sodium_crypto_stream_xchacha20);
+ZEND_FUNCTION(sodium_crypto_stream_xchacha20_keygen);
+ZEND_FUNCTION(sodium_crypto_stream_xchacha20_xor);
+#endif
 ZEND_FUNCTION(sodium_add);
 ZEND_FUNCTION(sodium_compare);
 ZEND_FUNCTION(sodium_increment);
@@ -643,6 +653,11 @@ static const zend_function_entry ext_functions[] = {
 	ZEND_FE(sodium_crypto_stream, arginfo_sodium_crypto_stream)
 	ZEND_FE(sodium_crypto_stream_keygen, arginfo_sodium_crypto_stream_keygen)
 	ZEND_FE(sodium_crypto_stream_xor, arginfo_sodium_crypto_stream_xor)
+#if defined(crypto_stream_xchacha20_KEYBYTES)
+	ZEND_FE(sodium_crypto_stream_xchacha20, arginfo_sodium_crypto_xchacha20_stream)
+	ZEND_FE(sodium_crypto_stream_xchacha20_keygen, arginfo_sodium_crypto_xchacha20_stream_keygen)
+	ZEND_FE(sodium_crypto_stream_xchacha20_xor, arginfo_sodium_crypto_xchacha20_stream_xor)
+#endif
 	ZEND_FE(sodium_add, arginfo_sodium_add)
 	ZEND_FE(sodium_compare, arginfo_sodium_compare)
 	ZEND_FE(sodium_increment, arginfo_sodium_increment)

ext/sodium/php_libsodium.h

@@ -112,6 +112,9 @@ PHP_FUNCTION(sodium_crypto_sign_verify_detached);
 PHP_FUNCTION(sodium_crypto_stream);
 PHP_FUNCTION(sodium_crypto_stream_keygen);
 PHP_FUNCTION(sodium_crypto_stream_xor);
+PHP_FUNCTION(sodium_crypto_stream_xchacha20);
+PHP_FUNCTION(sodium_crypto_stream_xchacha20_keygen);
+PHP_FUNCTION(sodium_crypto_stream_xchacha20_xor);
 PHP_FUNCTION(sodium_hex2bin);
 PHP_FUNCTION(sodium_increment);
 PHP_FUNCTION(sodium_memcmp);

ext/sodium/tests/crypto_stream_xchacha20.phpt

@@ -0,0 +1,52 @@
+--TEST--
+Check for libsodium stream
+--SKIPIF--
+<?php if (!extension_loaded("sodium") || !defined('CRYPTO_STREAM_XCHACHA20_KEYBYTES')) print "skip"; ?>
+--FILE--
+<?php
+$nonce = random_bytes(SODIUM_CRYPTO_STREAM_XCHACHA20_NONCEBYTES);
+$key = sodium_crypto_stream_xchacha20_keygen();
+
+$len = 100;
+$stream = sodium_crypto_stream_xchacha20($len, $nonce, $key);
+var_dump(strlen($stream));
+
+$stream2 = sodium_crypto_stream_xchacha20($len, $nonce, $key);
+
+$nonce = random_bytes(SODIUM_CRYPTO_STREAM_XCHACHA20_NONCEBYTES);
+$stream3 = sodium_crypto_stream_xchacha20($len, $nonce, $key);
+
+$key = sodium_crypto_stream_keygen();
+$stream4 = sodium_crypto_stream_xchacha20($len, $nonce, $key);
+
+var_dump($stream === $stream2);
+var_dump($stream !== $stream3);
+var_dump($stream !== $stream4);
+var_dump($stream2 !== $stream3);
+var_dump($stream2 !== $stream4);
+var_dump($stream3 !== $stream4);
+
+$stream5 = sodium_crypto_stream_xchacha20_xor($stream, $nonce, $key);
+var_dump($stream5 !== $stream);
+$stream6 = sodium_crypto_stream_xchacha20_xor($stream5, $nonce, $key);
+
+var_dump($stream6 === $stream);
+
+try {
+    sodium_crypto_stream_xchacha20($len, substr($nonce, 1), $key);
+} catch (SodiumException $ex) {
+    var_dump(true);
+}
+
+?>
+--EXPECT--
+int(100)
+bool(true)
+bool(true)
+bool(true)
+bool(true)
+bool(true)
+bool(true)
+bool(true)
+bool(true)
+bool(true)