From 5cc7ac3dee202fb377ae0a0fbf0c52730ef20320 Mon Sep 17 00:00:00 2001
From: George Peter Banyard <girgias@php.net>
Date: Tue, 21 Jul 2020 14:16:03 +0100
Subject: [PATCH 1/2] Promote empty PWD to Exception in Sodium

---
 ext/sodium/libsodium.c | 48 ++++++++++++++++++++++++------------------
 1 file changed, 27 insertions(+), 21 deletions(-)

diff --git a/ext/sodium/libsodium.c b/ext/sodium/libsodium.c
index 18f7d3db1ddd1..f3d45d7accdd2 100644
--- a/ext/sodium/libsodium.c
+++ b/ext/sodium/libsodium.c
@@ -1499,6 +1499,10 @@ PHP_FUNCTION(sodium_crypto_pwhash)
 		zend_argument_error(sodium_exception_ce, 1, "is too large");
 		RETURN_THROWS();
 	}
+	if (passwd_len == 0) {
+		zend_argument_error(sodium_exception_ce, 2, "cannot be empty");
+		RETURN_THROWS();
+	}
 	if (passwd_len >= 0xffffffff) {
 		zend_argument_error(sodium_exception_ce, 2, "is too long");
 		RETURN_THROWS();
@@ -1519,9 +1523,6 @@ PHP_FUNCTION(sodium_crypto_pwhash)
 		zend_throw_exception(sodium_exception_ce, "unsupported password hashing algorithm", 0);
 		RETURN_THROWS();
 	}
-	if (passwd_len <= 0) {
-		zend_error(E_WARNING, "empty password");
-	}
 	if (salt_len != crypto_pwhash_SALTBYTES) {
 		zend_argument_error(sodium_exception_ce, 3, "must be SODIUM_CRYPTO_PWHASH_SALTBYTES bytes long");
 		RETURN_THROWS();
@@ -1574,6 +1575,14 @@ PHP_FUNCTION(sodium_crypto_pwhash_str)
 		sodium_remove_param_values_from_backtrace(EG(exception));
 		RETURN_THROWS();
 	}
+	if (passwd_len == 0) {
+		zend_argument_error(sodium_exception_ce, 1, "cannot be empty");
+		RETURN_THROWS();
+	}
+	if (passwd_len >= 0xffffffff) {
+		zend_argument_error(sodium_exception_ce, 1, "is too long");
+		RETURN_THROWS();
+	}
 	if (opslimit <= 0) {
 		zend_argument_error(sodium_exception_ce, 2, "must be greater than 0");
 		RETURN_THROWS();
@@ -1582,13 +1591,6 @@ PHP_FUNCTION(sodium_crypto_pwhash_str)
 		zend_argument_error(sodium_exception_ce, 3, "must be greater than 0");
 		RETURN_THROWS();
 	}
-	if (passwd_len >= 0xffffffff) {
-		zend_argument_error(sodium_exception_ce, 1, "is too long");
-		RETURN_THROWS();
-	}
-	if (passwd_len <= 0) {
-		zend_error(E_WARNING, "empty password");
-	}
 	if (opslimit < crypto_pwhash_OPSLIMIT_MIN) {
 		zend_argument_error(sodium_exception_ce, 2, "must be greater than or equal to %d", crypto_pwhash_OPSLIMIT_MIN);
 	}
@@ -1643,13 +1645,14 @@ PHP_FUNCTION(sodium_crypto_pwhash_str_verify)
 		sodium_remove_param_values_from_backtrace(EG(exception));
 		RETURN_THROWS();
 	}
+	if (passwd_len == 0) {
+		zend_argument_error(sodium_exception_ce, 2, "cannot be empty");
+		RETURN_THROWS();
+	}
 	if (passwd_len >= 0xffffffff) {
 		zend_argument_error(sodium_exception_ce, 2, "is too long");
 		RETURN_THROWS();
 	}
-	if (passwd_len <= 0) {
-		zend_error(E_WARNING, "empty password");
-	}
 	if (crypto_pwhash_str_verify
 		(hash_str, passwd, (unsigned long long) passwd_len) == 0) {
 		RETURN_TRUE;
@@ -1682,6 +1685,10 @@ PHP_FUNCTION(sodium_crypto_pwhash_scryptsalsa208sha256)
 		zend_argument_error(sodium_exception_ce, 1, "must be greater than 0");
 		RETURN_THROWS();
 	}
+	if (passwd_len == 0) {
+		zend_argument_error(sodium_exception_ce, 2, "cannot be empty");
+		RETURN_THROWS();
+	}
 	if (opslimit <= 0) {
 		zend_argument_error(sodium_exception_ce, 4, "must be greater than 0");
 		RETURN_THROWS();
@@ -1690,9 +1697,6 @@ PHP_FUNCTION(sodium_crypto_pwhash_scryptsalsa208sha256)
 		zend_argument_error(sodium_exception_ce, 5, "must be greater than 0");
 		RETURN_THROWS();
 	}
-	if (passwd_len <= 0) {
-		zend_error(E_WARNING, "empty password");
-	}
 	if (salt_len != crypto_pwhash_scryptsalsa208sha256_SALTBYTES) {
 		zend_argument_error(sodium_exception_ce, 3, "must be SODIUM_CRYPTO_PWHASH_SCRYPTSALSA208SHA256_SALTBYTES bytes long");
 		RETURN_THROWS();
@@ -1731,6 +1735,10 @@ PHP_FUNCTION(sodium_crypto_pwhash_scryptsalsa208sha256_str)
 		sodium_remove_param_values_from_backtrace(EG(exception));
 		RETURN_THROWS();
 	}
+	if (passwd_len == 0) {
+		zend_argument_error(sodium_exception_ce, 1, "cannot be empty");
+		RETURN_THROWS();
+	}
 	if (opslimit <= 0) {
 		zend_argument_error(sodium_exception_ce, 2, "must be greater than 0");
 		RETURN_THROWS();
@@ -1739,9 +1747,6 @@ PHP_FUNCTION(sodium_crypto_pwhash_scryptsalsa208sha256_str)
 		zend_argument_error(sodium_exception_ce, 3, "must be greater than 0");
 		RETURN_THROWS();
 	}
-	if (passwd_len <= 0) {
-		zend_error(E_WARNING, "empty password");
-	}
 	if (opslimit < crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE) {
 		zend_argument_error(sodium_exception_ce, 2, "must be greater than or equal to %d", crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE);
 	}
@@ -1775,8 +1780,9 @@ PHP_FUNCTION(sodium_crypto_pwhash_scryptsalsa208sha256_str_verify)
 		sodium_remove_param_values_from_backtrace(EG(exception));
 		RETURN_THROWS();
 	}
-	if (passwd_len <= 0) {
-		zend_error(E_WARNING, "empty password");
+	if (passwd_len == 0) {
+		zend_argument_error(sodium_exception_ce, 2, "cannot be empty");
+		RETURN_THROWS();
 	}
 	if (hash_str_len != crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1) {
 		zend_error(E_WARNING, "wrong size for the hashed password");

From dd4ed93dc1eaf4385412b96a259c6a0ff587b68b Mon Sep 17 00:00:00 2001
From: George Peter Banyard <girgias@php.net>
Date: Tue, 21 Jul 2020 14:16:20 +0100
Subject: [PATCH 2/2] TODO Comment

---
 ext/sodium/libsodium.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ext/sodium/libsodium.c b/ext/sodium/libsodium.c
index f3d45d7accdd2..12ae0d9699e5b 100644
--- a/ext/sodium/libsodium.c
+++ b/ext/sodium/libsodium.c
@@ -1785,6 +1785,7 @@ PHP_FUNCTION(sodium_crypto_pwhash_scryptsalsa208sha256_str_verify)
 		RETURN_THROWS();
 	}
 	if (hash_str_len != crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1) {
+		/* Promote to Exception? */
 		zend_error(E_WARNING, "wrong size for the hashed password");
 		RETURN_FALSE;
 	}