Hi,

please check with your hosting, libsodium is part of PHP Core by 7.2.0 so it should be included in 7.4 too. So this code polyfill should not be needed anymore.

@zero-24 i'm aware of this, but given that my hosting is on PHP 7.4 and libsodium is not there, i'm afraid that this will happen to other users as well. At least the code polyfill should work, otherwise it makes no sense to have it.

See #27375 (comment)

@Quy i'm aware of #27375, but i don't agree. If the hosting fails like in my case, Joomla can't fail as well. J4 must be enough smarter enough to simply hash a password using another algorithm if Argon2i is not available. Imagine if this problem happens to a lot of hosting providers for people that upgrade from J3 to J4 and is no longer able to register accounts... everyone will be forced to contact his hosting provider!?

Now Joomla fails 2 times:

1. It's unable to fallback for example to HASH_BCRYPT
2. The polyfill doesn't work

Do you think that this is acceptable?

Can you try what is happening when you remove the sodium_compat package. As it should no longer be required with 7.2.5 as our PHP minimum maybe just the detection is foolen as that might depend on the PHP Version compare 7.2+.

If you remove the sodium_compat package the result is that the exception thrown is:

Argon2i algorithm is not supported.

@joeforjoomla can you please post the full backtrace here?

@dgrammatiko of course

I attach also the system info of the server. I'm talking with my hosting and although the PHP version is 7.4 the libsodium is not enabled... definitely it seems not an immediate thing to solve a similar problem. This is not important for me given that i'm still on a test environment, but think if this happens to thousands of websites.
systeminfo-2020-10-20T21_58_58+02_00.zip

Can you please check the phpinfo on that server because this function is part of php 7.2.0 https://www.php.net/manual/en/function.sodium-crypto-pwhash-str.php

systeminfo-2020-10-20T22_01_10+02_00.zip

One quick test: can you check the db stored pasword hash here: https://argon2.online (Argon2 Hash Validator / Verifier) and report the result?

the php72combat.php can't be loaded based on the source code:

if (PHP_VERSION_ID < 70200 || !extension_loaded('sodium')) {
    require_once dirname(__FILE__) . '/lib/php72compat.php';
}

Sorry was posting the phpinfo in JSON format
@HLeithner weird that this hosting is running PHP 7.4 and this function is not part of it

hmm ok it can be loaded^^

but why should libsodium not part of the host...

@HLeithner i don't know...

hmm updating is not there favorite thing php 7.4.7... anyway it seems that the libsodium package is an extra package on redhat el7 which they should install... especially if they make marketing with joomla https://www.ergonet.it/hosting/hosting-valore-joomla.html

Anyway @joomla/security should find a solution for this

@HLeithner thank you very much, indeed i'm afraid that this could happen to other hosting providers.

@zero-24 @HLeithner PHP 7.4 changed the value of PASSWORD_BCRYPT and thanks to the engine’s loose string versus int comparisons the new value is matching the local constant value for Argon2 (luckily PHP 8 fixes it). So the constant values in the UserHelper need to be changed to something unique and not reuse the values from the native PHP constants, then the switch statement in hashPassword should be updated to support both the UserHelper constants and the native PHP constant values (both versions).

thanks for debugging this I already got nuts trying to find out why it tries argon....

Can someone please add a release blocker to this please until the correction described by @dgrammatiko is converted into a pr

Closing we have a pr #31500