Skip to content

Fix #19096 blowfish_secret validation: support 64-char hex format and conver… #19599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
AMGui63 wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Fix #19096 blowfish_secret validation: support 64-char hex format and conver… #19599

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions config.sample.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,9 @@
declare(strict_types=1);

/**
* This is needed for cookie based authentication to encrypt the cookie.
* Needs to be a 32-bytes long string of random bytes. See FAQ 2.10.
* This is needed for cookie-based authentication to encrypt the cookie.
* Needs to be a 32-byte long binary string (use `random_bytes(32)`)
* or a 64-character hexadecimal string (use `bin2hex(random_bytes(32))`).
*/
$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

Expand Down
15 changes: 8 additions & 7 deletions docs/config.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1924,17 +1924,18 @@ Cookie authentication options
will be used internally by the :term:`Sodium` extension: you won't be prompted for this encryption key.

Since a binary string is usually not printable, it can be converted into a hexadecimal representation (using a
function like `sodium_bin2hex <https://www.php.net/sodium_bin2hex>`_) and then used in the configuration file. For
function like `sodium_bin2hex <https://www.php.net/sodium_bin2hex>`_) and then used in the configuration file.
If a 64-character hexadecimal string is provided, phpMyAdmin will automatically convert it into a 32-byte binary string. For
example:

.. code-block:: php

// The string is a hexadecimal representation of a 32-bytes long string of random bytes.
$cfg['blowfish_secret'] = sodium_hex2bin('f16ce59f45714194371b48fe362072dc3b019da7861558cd4ad29e4d6fb13851');

Using a binary string is recommended. However, if all 32 bytes of the string are visible
characters, then a function like `sodium_bin2hex <https://www.php.net/sodium_bin2hex>`_ is not required. For
example:
Using a binary string is recommended. However, if all 32 bytes of the string are visible
characters, then a function like `sodium_bin2hex <https://www.php.net/sodium_bin2hex>`_ is not required. For
example:

.. code-block:: php

Expand All @@ -1943,9 +1944,9 @@ Cookie authentication options

.. warning::

The encryption key must be 32 bytes long. If it is longer than the length of bytes, only the first 32 bytes will
be used, and if it is shorter, a new temporary key will be automatically generated for you. However, this
temporary key will only last for the duration of the session.
The encryption key must be 32 bytes long. If it is a 64-character hexadecimal string, it will be automatically converted to a 32-byte binary string.
If it is longer than 32 bytes (excluding hex format), only the first 32 bytes will be used.
If it is shorter, a new temporary key will be automatically generated for you. However, this temporary key will only last for the duration of the session.

.. note::

Expand Down
20 changes: 20 additions & 0 deletions src/Controllers/HomeController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -314,6 +314,26 @@ private function checkRequirements(): void
// This can happen if the user did use getenv() to set blowfish_secret
$encryptionKeyLength = mb_strlen($config->settings['blowfish_secret'], '8bit');

// If the key is in hexadecimal and has a length of 64 characters (i.e., 32 bytes), then convert it to binary.
if ($encryptionKeyLength === 64 && ctype_xdigit($config->settings['blowfish_secret'])) {
// Convert the hexadecimal string to binary and override the original blowfish_secret
$binaryKey = hex2bin($config->settings['blowfish_secret']);
Copy link
Copy Markdown
Member

@MauricioFauth MauricioFauth Mar 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please replace the hex2bin function with sodium_hex2bin. The hex2bin function should not be used for cryptography.

if ($binaryKey !== false) { // Ensure conversion is successful
$config->settings['blowfish_secret'] = $binaryKey;
$encryptionKeyLength = SODIUM_CRYPTO_SECRETBOX_KEYBYTES; // Update length
} else {
// If hex2bin conversion fails, log an error or warning
$this->errors[] = [
'message' => __(
'Invalid blowfish_secret format: Unable to convert hex string to binary.'
. ' Please ensure it is a valid 64-character hexadecimal string.'
. ' Refer to the [doc@cfg_blowfish_secret]documentation[/doc].',
),
'severity' => 'error',
];
}
}

if ($encryptionKeyLength < SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
$this->errors[] = [
'message' => __(
Expand Down