Zend Crypt Laravel Package

Added

• #60 adds support for PHP 7.3.

Changed

• Nothing.

Deprecated

• Nothing.

Removed

• Nothing.

Fixed

• Nothing.

Added

• #52 adds support for PHP 7.2.

Changed

• #55 updates Zend\Crypt\Hmac to use hash_hmac_algos instead of hmac_algos when it is present.

• #50 updates all classes to import functions and constants they use.

Deprecated

• Nothing.

Removed

• Nothing.

Fixed

• Nothing.

Added

• #42 Added the CTR mode for OpenSSL.

Deprecated

• Nothing.

Removed

• Nothing.

Fixed

• #48 Incorrect Rsa type declaration in Hybrid constructor.

Added

• #38 Support of GCM and CCM encryption mode for OpenSSL with PHP 7.1+

Deprecated

• Nothing.

Removed

• Nothing.

Fixed

• Nothing.

Added

• #32 adds a new Hybrid encryption utility, to allow OpenPGP-like encryption/decryption of messages using OpenSSL. See the documentation for details.

Deprecated

• Nothing.

Removed

• Nothing.

Fixed

• Nothing.

Added

• #22 adds a requirement on ext/mbstring in order to install successfully.
• #25 adds a new symmetric encryption adapter for the OpenSSL extension; this is now the default adapter used internally by the component when symmetric encryption is required.
• #25 adds support for zend-math v3.
• #26 adds Zend\Crypt\Password\Bcrypt::benchmarkCost(), which allows you to find the maximum cost value possible for your hardware within a 50ms timeframe.
• #11 adds a new option to the Zend\Crypt\PublicKey\RsaOptions class, openssl_padding (or setOpensslPadding(); this is now consumed in Zend\Crypt\PublicKey\Rsa::encrypt() and Zend\Crypt\PublicKey\Rsa::decrypt(), instead of the optional $padding argument.

Deprecated

• #25 deprecates usage of the mcrypt symmetric encryption adapter when used on PHP 7 versions, as PHP 7.1 will deprecate the mcrypt extension.

Removed

• #11 removes the optional $padding argument from each of Zend\Crypt\PublicKey\Rsa's encrypt() and decrypt() methods; you can now specify the value via the RsaOptions.
• #25 removes support for zend-math v2 versions.
• #29 removes support for PHP 5.5.

Fixed

• #22 updates all occurrences of substr() and strlen() to use mb_substr() and mb_strlen(), respectively. This provides better security with binary values.
• #25 updates the Zend\Crypt\Password\Bcrypt implementation to use password_hash() and password_verify() internally, as they are supported in all PHP versions we support.
• #19 fixes the DiffieHellman publickey implementation to initialize the BigInteger adapter from zend-math as the first operation of its constructor, fixing a fatal error that occurs when binary data is provided.

Added

• #18 adds documentation, and publishes it to https://zendframework.github.io/zend-crypt/

Deprecated

• Nothing.

Removed

• Removes the (development) dependency on zend-config; tests that used it previously have been updated to use ArrayObject, which implements the same behavior being tested.

Fixed

• #4 replaces the zend-servicemanager with container-interop, and refactors the various plugin managers to implement that interface instead of extending the AbstractPluginManager.

Added

• Nothing.

Deprecated

• Nothing.

Removed

• Nothing.

Fixed

• ZF2015-10: Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which used PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING.

  Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant OPENSSL_PKCS1_PADDING to a new $padding argument in Zend\Crypt\PublicKey\Rsa::encrypt() and decrypt() (though typically this should only apply to the latter):

  $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);
  

  where $rsa is an instance of Zend\Crypt\PublicKey\Rsa.

  (The $key and $mode argument defaults are null and Zend\Crypt\PublicKey\Rsa::MODE_AUTO, if you were not using them previously.)

  We recommend re-encrypting any such values using the new defaults.

Added

• Nothing.

Deprecated

• Nothing.

Removed

• Nothing.

Fixed

• ZF2015-10: Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which used PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING.

  Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant OPENSSL_PKCS1_PADDING to a new $padding argument in Zend\Crypt\PublicKey\Rsa::encrypt() and decrypt() (though typically this should only apply to the latter):

  $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);
  

  where $rsa is an instance of Zend\Crypt\PublicKey\Rsa.

  (The $key and $mode argument defaults are null and Zend\Crypt\PublicKey\Rsa::MODE_AUTO, if you were not using them previously.)

  We recommend re-encrypting any such values using the new defaults.

hotfix/5

Added

• Nothing.

Changed

• Nothing.

Deprecated

• Nothing.

Removed

• Nothing.

Fixed

• Nothing.