Solution : GMP Support for Enhanced libsodium Integration with PHP

[coladrian]

Hi,

Following the Oneinstack project closely and focusing on testing general security and secure integrations with PHP, I've identified a significant optimization point when using libsodium for cryptographic operations (ref: #525). The joint use of libsodium and the GMP library often proves crucial for optimal management of large numbers, exemplified by scenarios such as:

$f = gmp_strval(gmp_init($foo, 16), 16);
$b = gmp_strval(gmp_init($bar, 16), 16);
$value = gmp_init('0x' . sodium_bin2hex(sodium_crypto_generichash($f . $b, '', 512 / 8)), 16);

Integrating libsodium and GMP in PHP projects provides significant benefits in terms of performance and security, allowing for more precise and efficient handling of cryptographic data.

To strengthen this integration and optimize the use of libsodium with PHP, I propose including the --with-gmp option in the configuration command for PHP versions 8* and later. This change aims to compile PHP with GMP support enabled by default, thus ensuring better compatibility and performance for applications requiring advanced cryptographic features.

Here is the modified configuration command, including --with-gmp:

// oneinstack/include/php-8.{subversion}.sh

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/:$PKG_CONFIG_PATH
  [ ! -d "${php_install_dir}" ] && mkdir -p ${php_install_dir}
  [ "${phpcache_option}" == '1' ] && phpcache_arg='--enable-opcache' || phpcache_arg='--disable-opcache'
  if [ "${apache_mode_option}" == '2' ]; then
    ./configure --prefix=${php_install_dir} --with-config-file-path=${php_install_dir}/etc \
    --with-config-file-scan-dir=${php_install_dir}/etc/php.d \
    --with-apxs2=${apache_install_dir}/bin/apxs ${phpcache_arg} --disable-fileinfo \
    --enable-mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd \
    --with-iconv=/usr/local --with-freetype --with-jpeg --with-zlib  --with-gmp \
    --enable-xml --disable-rpath --enable-bcmath --enable-shmop --enable-exif \
    --enable-sysvsem ${php83_with_curl} --enable-mbregex \
    --enable-mbstring --with-password-argon2 --with-sodium=/usr/local --enable-gd ${php83_with_openssl} \
    --with-mhash --enable-pcntl --enable-sockets --enable-ftp --enable-intl --with-xsl \
    --with-gettext --with-zip=/usr/local --enable-soap --disable-debug ${php_modules_options}
  else
    ./configure --prefix=${php_install_dir} --with-config-file-path=${php_install_dir}/etc \
    --with-config-file-scan-dir=${php_install_dir}/etc/php.d \
    --with-fpm-user=${run_user} --with-fpm-group=${run_group} --enable-fpm ${phpcache_arg} --disable-fileinfo \
    --enable-mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd \
    --with-iconv=/usr/local --with-freetype --with-jpeg --with-zlib  --with-gmp \
    --enable-xml --disable-rpath --enable-bcmath --enable-shmop --enable-exif \
    --enable-sysvsem ${php83_with_curl} --enable-mbregex \
    --enable-mbstring --with-password-argon2 --with-sodium=/usr/local --enable-gd ${php83_with_openssl} \
    --with-mhash --enable-pcntl --enable-sockets --enable-ftp --enable-intl --with-xsl \
    --with-gettext --with-zip=/usr/local --enable-soap --disable-debug ${php_modules_options}
  fi

*Although I haven't tested this configuration on PHP versions prior to 8.

Best regards,
Adrian