Search code examples
phpencryptionnoncelibsodiumsodium

PHP and Sodium - Unable to pass a nonce publicly in a form


As the title suggest i am having difficulty in passing the value of a nonce publicly through a form. I have tried using both a hidden field in the form and passing the value as a parameter in the url.

The nonce is created using:

$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES)

When I try to use the retrieved value (eg sodium_crypto_secretbox_open) form either a hidden field (POST) or the url (GET) the following error is returned:

Uncaught SodiumException: nonce size should be SODIUM_CRYPTO_SECRETBOX_NONCEBYTES bytes

I appreciate that the size of the nonce string is being affected, but I have no idea how to counter this issue.

When I echo out the retrieved nonce it looks fine. There appears to be an issue after the nonce is echo'd out that it changes size and is deemed inappropriate to be used by sodium.

Any advice would be greatly appreciated.


Solution

  • Binary values do not translate well when sent in the request so one thing you might consider would be to convert the raw nonce value using bin2hex, add as the hidden input and then to process reverse the process using hex2bin

    $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
    $hex=bin2hex($nonce);
    /* add the above $hex as the hidden input */
    
    /* serverside decode the input*/
    $bin=hex2bin($hex);
    
    
    <form method='post'>
        <input type='hidden' name='nonce' value='<?php echo $hex;?>' />
        <!-- other elements -->
        <input type='submit' />
    </form>
    
    
     /* serverside */   
     $bin=hex2bin( $_POST['nonce'] );
    

    Update: Reading further on these native sodium methods sodium_hex2bin and sodium_bin2hex

    Like sodium_bin2hex(), sodium_hex2bin() is resistant to side-channel attacks while hex2bin() is not.