Security Fix

Read: A vulnerability in libsodium

This fixes a congruent issue in the main branch of the PHP implementation.

For older PHP versions, see v1.24.0 instead.

Security Fix

Read: A vulnerability in libsodium

This fixes a congruent issue in the v1.x branch of the PHP implementation.

The biggest change (besides unit testing) in this release is the optimization of Curve25519 field arithmetic by using object properties instead of an internal array. This skips some internal overhead in PHP (i.e., hash tables and memory allocation) that we ultimately never needed.

Beyond that, we mostly expanded our unit test coverage. We're running Infection to identify code that can be mutated without the test suite failing, and it's identified a lot of false positives but also some useful information. The end result? We've fixed a few bugs.

What's Changed

• Optimize curve25519 field element by removing array by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/198
• Remove dead or redundant code of Util::(strlen|substr) by @takaram in https://github.com/paragonie/sodium_compat/pull/201
• Improve Unit Testing Coverage by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/200
• Bigfixes and Improved Test Coverage by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/202

New Contributors

• @takaram made their first contribution in https://github.com/paragonie/sodium_compat/pull/201

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v2.3.1...v2.4.0

We backported some optimizations from #198 by replacing the array in the Curve25519 field element with 10 integer object properties instead. The result is a 7% to 12% speedup for the overall PHPUnit suite.

What's Changed

• Backport #198 to v1.x by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/199
• Backport Fixes from v2 ro v1.x branch by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/203

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v1.22.0...v1.23.0

Deletes the erroneous PSR-0 autoloader declaration from composer.json, fixing #196

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v2.3.0...v2.3.1

[!IMPORTANT] The previous version of sodium_compat was overly permissible with sodium_base642bin() when the *_NO_PADDING variants were specified, which was not compatible with ext-sodium. This has been fixed in v2.3.0.

If you need the old behavior in the meantime, you can call ParagonIE_Core_Base64_Original::decode() or ParagonIE_Core_Base64_UrlSafe:decode() to get lax padding enabled.

Aside from this fix, most of the changes were to the unit test suite in order to improve our mutation testing metrics.

What's Changed

• Fix CI for Fuzz/Mutation Tests by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/190
• Update .gitattributes for psalm files by @erikn69 in https://github.com/paragonie/sodium_compat/pull/192
• Fix flaky test for PHP 8.1+ by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/193
• Test enhancements + base64 no-padding fix by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/194

New Contributors

• @erikn69 made their first contribution in https://github.com/paragonie/sodium_compat/pull/192

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v2.2.0...v2.3.0

[!IMPORTANT] The previous version of sodium_compat was overly permissible with sodium_base642bin() when the *_NO_PADDING variants were specified, which was not compatible with ext-sodium. This has been fixed in v1.22.0.

If you need the old behavior in the meantime, you can call ParagonIE_Core_Base64_Original::decode() or ParagonIE_Core_Base64_UrlSafe:decode() to get lax padding enabled.

What's Changed

• Backport fixes from v2.x by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/195

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v1.21.2...v1.22.0

Version 2.2.0 of Sodium_Compat is mostly a maintenance release. Some dev-dependencies were changed in order to facilitate mutation and fuzz testing in CI. No significant changes to the src directory were required as a result of this additional testing.

What's Changed

• Move namespaced part to composer autoloader by @ywisax in https://github.com/paragonie/sodium_compat/pull/185
• Test PHP 8.5 in CI on v2.x by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/188
• Improve Assurance of Sodium_Compat by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/189

New Contributors

• @ywisax made their first contribution in https://github.com/paragonie/sodium_compat/pull/185

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v2.1.0...v2.2.0

What's Changed

• GH Actions: update the action runners by @jrfnl in https://github.com/paragonie/sodium_compat/pull/183
• Test PHP 8.5 in CI on v1.x by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/187

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v1.21.1...v1.21.2

What's Changed

• explicitly mark argument $alg as nullable by @xabbuh in https://github.com/paragonie/sodium_compat/pull/178
• define 2.0.x-dev as an alias for the master branch by @xabbuh in https://github.com/paragonie/sodium_compat/pull/179
• Optimize Curve25519 code by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/181
• PHP 8.4 compat nits by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/182

New Contributors

• @xabbuh made their first contribution in https://github.com/paragonie/sodium_compat/pull/178

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v2.0.1...v2.1.0

Read this blog post for context.

We pulled v2.0.0 to prevent v2.x from being installed on 32-bit systems.

What's Changed

• Make composer aware of the requirement for 64bits PHP by @stof in https://github.com/paragonie/sodium_compat/pull/177

New Contributors

• @stof made their first contribution in https://github.com/paragonie/sodium_compat/pull/177

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v2.0.0...v2.0.1

What's Changed

• [v1] Use SensitiveParameter on public API by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/176

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v1.21.0...v1.21.1

Important - Please Read

While this is not the final v1.x release, we will be releasing a new major version soon. See the updated major version policy in our readme for specific guidance.

Beyond that, this is a bog standard feature release. It contains no security fixes, but additional features (including the AEGIS AEAD mode used by libsodium, expected to land in PHP 8.4).

What's Changed

• AEGIS Implementation by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/167
• Support PHP 8.4 by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/169
• Pre v1.21 fixes by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/170
• New major version policy by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/171

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v1.20.1...v1.21.0

What's Changed

• GH Actions: update PHP versions in workflows by @jrfnl in https://github.com/paragonie/sodium_compat/pull/160
• XSalsa20Test: fix typo in [@covers](https://github.com/covers) tag by @jrfnl in https://github.com/paragonie/sodium_compat/pull/164
• Update actions/checkout to v4 by @paragonie-security in https://github.com/paragonie/sodium_compat/pull/165

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v1.20.0...v1.20.1

What's Changed

• #157 - Update Wycheproof tests, fix Poly1305 implementation in response to Wycheproof failure

Full Changelog: https://github.com/paragonie/sodium_compat/compare/v1.19.0...v1.20.0

Poly1305 bug?

If you had a specific bit pattern in your Poly1305 key and ciphertext, you would generate an invalid authentication tag. This was caught by the ChaCha20-Poly1305 tests included in Project Wycheproof.

We don't believe this is a security issue because:

1. Letting attackers control the key going into Poly1305 would defeat the security of this algorithm.
2. Years of integration and compatibility testing with ext/sodium never encountered the conditions necessary to trigger the bug. (Specifically, a ciphertext of all bits set was one of the conditions necessary to trigger it.)
3. The impact of triggering the bug is an incorrect authentication tag.

Additionally, if you turned fast multiplication on, you would have not triggered the bug at all.

This slows down our Poly1305 implementation slightly.

• Breaking Changes for PHP 8: #152 - We fixed the parameter names for the public API for sodium_compat to conform to the Sodium extension
  • If you weren't relying on the Named Parameters feature (which landed after sodium_compat was created), this doesn't affect you at all.
• Added missing $ignore parameter to sodium_hex2bin() polyfill
  • Apparently we took that parameter at face value. Mea culpa.
• More unit testing

• Fix #151 (PR #150): Resolve autoload-fast.php include path issue with Wordfence plugin for WordPress

• Fixed issues with the PHP autoloader
  • #145: For WordPress, this ensures when Ed25519 is included, so too is the class it inherits from.
  • #148, #149: For PHP 7.4+ with opcache preloading, this ensures the include guards don't fail.
• #144: Added sodium_crypto_stream_xchacha20_xor_ic()
  • See pull request for php-src
  • For motivation: https://github.com/paragonie/halite/issues/178

• #140 Fix issues with 32-bit integers and floats on PHP 8.1
• Curve25519 field elements will now be normalized (overflow bits cleared unless numbers are negative) to prevent this float/int weirdness on PHP 8.1. This adds a very small performance hit on Curve25519 operations, but adds a guardrail against incorrect results.

• Fixes several bugs with sodium_crypto_scalarmult_ristretto255() that was producing incorrect results in PHP 8.1
  • Off-by-one error in ge_scalarmult()
  • Multiplication optimizations led to incorrect results for some inputs
• CI now runs against PHP 8.1

• Fixes #122 (undefined constant errors caused by autoloader race conditions)

• New: Implements Ristretto255.

  Ristretto is a technique for constructing prime order elliptic curve groups with non-malleable encodings. It extends Mike Hamburg's Decaf approach to cofactor elimination to support cofactor-8 curves such as Curve25519.

  This is a new feature landing in PHP 8.1 for advanced users. Among other things, Ristretto allows you to easily build modern password-authenticated key exchanges, e.g. CPace.

  • You can learn more about Ristretto255 from the project's website.

Special thanks to Tony Arcieri, Frank Denis, Isis Lovecruft, Mike Hamburg, and Henry de Valence for making this release possible.

• Prevent infinite loop with crypto_kx()
• We're migrated from Github Actions to Travis CI now!

• Complete fix for #125.

• Always define the new polyfill functions even if PHP >= 7.2 and [an old version of] ext/sodium is used.

• Correct polyfill sodium_crypto_stream_xchacha20_xor

• Fixes #125
• Adds sodium_crypto_stream_xchacha20
  • This exposes XChaCha20 with 64-bit ChaCha20 nonces and 64-bit ChaCha20 internal counters. This is in stark contrast to the IETF's 96-bit nonces (with leading NUL bytes) and 32-bit counters, as exposed in the AEAD interface. This is a subtle but important property.

• #119 - Side-step mbstring issues on newer PHP
• #120 - Support PHPUnit 9
• #121 - Use more inclusive language
• Improved PHP 8 support

• Fix #113 and #116 via #117 - Should fix preloading issues with PHP 7.4+

• Fixes #106
• Fixes #112
• Possible fix for #113