Undefined constant 'CRYPTO_AEAD_XCHACHA20POLY1305_IETF_KEYBYTES'

Question

Undefined constant 'CRYPTO_AEAD_XCHACHA20POLY1305_IETF_KEYBYTES'

Kulturnilpferd opened this issue 4 years ago · comments

Hey there,
after updating to php7.3 I get these stragne errors in error.log maybe you could help me...
PHP Fatal error: Uncaught Error: Undefined constant 'CRYPTO_AEAD_XCHACHA20POLY1305_IETF_KEYBYTES' in /home/homepages/myhomepage/httpdocs/libraries/vendor/paragonie/sodium_compat/lib/constants.php:22\nStack trace:\n#0 /home/homepages/myhomepage/httpdocs/libraries/vendor/paragonie/sodium_compat/lib/sodium_compat.php(834): require_once()\n#1 /home/homepages/myhomepage/httpdocs/libraries/vendor/paragonie/sodium_compat/autoload.php(45): require_once('/home/homepages...')\n#2 /home/homepages/myhomepage/httpdocs/libraries/vendor/composer/autoload_real.php(66): require('/home/homepages...')\n#3 /home/homepages/myhomepage/httpdocs/libraries/vendor/composer/autoload_real.php(56): composerRequire205c915b9c7d3e718e7c95793ee67ffe('3109cb1a231dcd0...', '/home/homepages...')\n#4 /home/homepages/myhomepage/httpdocs/libraries/vendor/autoload.php(7): ComposerAutoloaderInit205c915b9c7d3e718e7c95793ee67ffe::getLoader()\n#5 /home/homepages/myhomepage/httpdocs/libraries/cms.php(36): require('/home/homepages...')\n in /home/homepages/myhomepage/httpdocs/libraries/vendor/paragonie/sodium_compat/lib/constants.php on line 22, referer: https://myhomepage/groups?start=108

P.I.E. Security Team · Answer 1 · Thu Apr 15 2021 05:45:40 GMT+0800 (China Standard Time)

If you update to the latest version of sodium_compat, does this error persist?

lululujojo123 · Answer 2 · Sun May 16 2021 21:16:01 GMT+0800 (China Standard Time)

Same problem with 1.16.0 and fresh installed composer package.

\Sodium\CRYPTO_PWHASH_SCRIPTSALSA208SHA256_OPSLIMIT_INTERACTIVE undefined constant.

ancient-spirit · Answer 3 · Mon May 24 2021 23:20:36 GMT+0800 (China Standard Time)

@paragonie-security

Hi, I got similar error

PHP Fatal error: Uncaught Error: Undefined class constant 'CRYPTO_CORE_RISTRETTO255_BYTES' in C:\aether\vendor\paragonie\sodium_compat\lib\ristretto255.php:6

lululujojo123 · Answer 4 · Tue May 25 2021 00:05:03 GMT+0800 (China Standard Time)

I think those errors are on purpose. Because the encryption or hashing methods are not performant in the sodium_compat package and should only be used with the PHP internal libsodium library. Those errors seam to be a little confusing. Could it be possible to maybe throw an more meaningful exception instead of removing those constants entirely?

P.I.E. Security Team · Answer 5 · Tue May 25 2021 00:10:52 GMT+0800 (China Standard Time)

I think those errors are on purpose. Because the encryption or hashing methods are not performant in the sodium_compat package and should only be used with the PHP internal libsodium library. Those errors seam to be a little confusing. Could it be possible to maybe throw an more meaningful exception instead of removing those constants entirely?

No, the point of this library is to be a polyfill.

P.I.E. Security Team · Answer 6 · Tue May 25 2021 00:15:16 GMT+0800 (China Standard Time)

@paragonie-security

Hi, I got similar error

PHP Fatal error: Uncaught Error: Undefined class constant 'CRYPTO_CORE_RISTRETTO255_BYTES' in C:\aether\vendor\paragonie\sodium_compat\lib\ristretto255.php:6

This is bizarre. It definitely exists.

I wonder if triggering the autoloader would sidestep this.

Can you add this line to vendor/paragonie/sodium_compat/autoload.php directly above line 44?

if (!class_exists('ParagonIE_Sodium_Compat')) {
    var_dump('class does not exist');
}

...and then tell me if this affects these errors?

P.I.E. Security Team · Answer 7 · Tue May 25 2021 00:26:46 GMT+0800 (China Standard Time)

A patch with an alternative proposed fix is in #132. If you can confirm that it addresses the observed behavior, I can merge it and tag v1.6.1 with the fix.

lululujojo123 · Answer 8 · Tue May 25 2021 00:38:26 GMT+0800 (China Standard Time)

I think those errors are on purpose. Because the encryption or hashing methods are not performant in the sodium_compat package and should only be used with the PHP internal libsodium library. Those errors seam to be a little confusing. Could it be possible to maybe throw an more meaningful exception instead of removing those constants entirely?

No, the point of this library is to be a polyfill.

Okay. That's fine. Took me some hours to understand, that behavior. Just thought it could be a little easier. But I totally understand that point as well. Is there a list of functions not available in the polyfill but available in libsodium? Just for the future. At the moment we rely on other functions which are completely available in your polyfill implementation.

P.I.E. Security Team · Answer 9 · Tue May 25 2021 00:45:40 GMT+0800 (China Standard Time)

Is there a list of functions not available in the polyfill but available in libsodium? Just for the future. At the moment we rely on other functions which are completely available in your polyfill implementation.

Outside the pwhash API, if a function is not covered by the polyfill, we consider that a bug to be fixed.

ancient-spirit · Answer 10 · Tue May 25 2021 00:51:15 GMT+0800 (China Standard Time)

@paragonie-security
Hi, I got similar error
PHP Fatal error: Uncaught Error: Undefined class constant 'CRYPTO_CORE_RISTRETTO255_BYTES' in C:\aether\vendor\paragonie\sodium_compat\lib\ristretto255.php:6

This is bizarre. It definitely exists.

I wonder if triggering the autoloader would sidestep this.

Can you add this line to vendor/paragonie/sodium_compat/autoload.php directly above line 44?
if (!class_exists('ParagonIE_Sodium_Compat')) {
    var_dump('class does not exist');
}
...and then tell me if this affects these errors?

var_dump(class_exists('ParagonIE_Sodium_Compat'));exit;

output: bool(true)

ancient-spirit · Answer 11 · Tue May 25 2021 01:11:17 GMT+0800 (China Standard Time)

A patch with an alternative proposed fix is in #132. If you can confirm that it addresses the observed behavior, I can merge it and tag v1.6.1 with the fix.

I found the issue happened on WordPress, because WordPress embed this package too.
https://github.com/WordPress/WordPress/tree/master/wp-includes/sodium_compat

$rc = new \ReflectionClass('ParagonIE_Sodium_Compat');

var_dump($rc->getFileName());exit;

output: C:\laragon\www\wordpress\wp-includes\sodium_compat\src\Compat.php

P.I.E. Security Team · Answer 12 · Tue May 25 2021 17:29:36 GMT+0800 (China Standard Time)

If this is a WordPress issue, try this:

Backup wp-includes\sodium_compat
Replace its contents with the branch in #122
Report back and tell us if the problem is fixed.

If so, the solution is simple: Release 1.6.1 and then tell the WordPress team to update their dependency in their next release. We've done this before.

ancient-spirit · Answer 13 · Tue May 25 2021 20:51:45 GMT+0800 (China Standard Time)

If this is a WordPress issue, try this:
1. Backup `wp-includes\sodium_compat`

2. Replace its contents with the branch in #122

3. Report back and tell us if the problem is fixed.
If so, the solution is simple: Release 1.6.1 and then tell the WordPress team to update their dependency in their next release. We've done this before.

I can confirm its work by following this guidance

P.I.E. Security Team · Answer 14 · Tue May 25 2021 21:04:13 GMT+0800 (China Standard Time)

Great! v1.16.1 is out. We'll follow up with the WordPress dev team to get sodium_compat updated.

P.I.E. Security Team · Answer 15 · Tue May 25 2021 21:16:37 GMT+0800 (China Standard Time)

WordPress ticket: https://core.trac.wordpress.org/ticket/53274