Version 2.0.1

Read this blog post for context.

We pulled v2.0.0 to prevent v2.x from being installed on 32-bit systems.

What's Changed

• Make composer aware of the requirement for 64bits PHP by @stof in #177

New Contributors

• @stof made their first contribution in #177

Full Changelog: v2.0.0...v2.0.1

Version 1.21.1

What's Changed

• [v1] Use SensitiveParameter on public API by @paragonie-security in #176

Full Changelog: v1.21.0...v1.21.1

Version 1.21.0

Important - Please Read

While this is not the final v1.x release, we will be releasing a new major version soon. See the updated major version policy in our readme for specific guidance.

Beyond that, this is a bog standard feature release. It contains no security fixes, but additional features (including the AEGIS AEAD mode used by libsodium, expected to land in PHP 8.4).

What's Changed

• AEGIS Implementation by @paragonie-security in #167
• Support PHP 8.4 by @paragonie-security in #169
• Pre v1.21 fixes by @paragonie-security in #170
• New major version policy by @paragonie-security in #171

Full Changelog: v1.20.1...v1.21.0

Version 1.20.1

What's Changed

• GH Actions: update PHP versions in workflows by @jrfnl in #160
• XSalsa20Test: fix typo in @covers tag by @jrfnl in #164
• Update actions/checkout to v4 by @paragonie-security in #165

Full Changelog: v1.20.0...v1.20.1

Version 1.20.0

What's Changed

• #157 - Update Wycheproof tests, fix Poly1305 implementation in response to Wycheproof failure

Full Changelog: v1.19.0...v1.20.0

Poly1305 bug?

If you had a specific bit pattern in your Poly1305 key and ciphertext, you would generate an invalid authentication tag. This was caught by the ChaCha20-Poly1305 tests included in Project Wycheproof.

We don't believe this is a security issue because:

1. Letting attackers control the key going into Poly1305 would defeat the security of this algorithm.
2. Years of integration and compatibility testing with ext/sodium never encountered the conditions necessary to trigger the bug. (Specifically, a ciphertext of all bits set was one of the conditions necessary to trigger it.)
3. The impact of triggering the bug is an incorrect authentication tag.

Additionally, if you turned fast multiplication on, you would have not triggered the bug at all.

This slows down our Poly1305 implementation slightly.

Version 1.19.0

• Breaking Changes for PHP 8: #152 - We fixed the parameter names for the public API for sodium_compat to conform to the Sodium extension
  • If you weren't relying on the Named Parameters feature (which landed after sodium_compat was created), this doesn't affect you at all.
• Added missing $ignore parameter to sodium_hex2bin() polyfill
  • Apparently we took that parameter at face value. Mea culpa.
• More unit testing

Version 1.18.1

• Fix #151 (PR #150): Resolve autoload-fast.php include path issue with Wordfence plugin for WordPress

Version 1.18.0

• Fixed issues with the PHP autoloader
  • #145: For WordPress, this ensures when Ed25519 is included, so too is the class it inherits from.
  • #148, #149: For PHP 7.4+ with opcache preloading, this ensures the include guards don't fail.
• #144: Added sodium_crypto_stream_xchacha20_xor_ic()
  • See pull request for php-src
  • For motivation: paragonie/halite#178

Version 1.17.1

• #140 Fix issues with 32-bit integers and floats on PHP 8.1
• Curve25519 field elements will now be normalized (overflow bits cleared unless numbers are negative) to prevent this float/int weirdness on PHP 8.1. This adds a very small performance hit on Curve25519 operations, but adds a guardrail against incorrect results.

Version 1.17.0

• Fixes several bugs with sodium_crypto_scalarmult_ristretto255() that was producing incorrect results in PHP 8.1
  • Off-by-one error in ge_scalarmult()
  • Multiplication optimizations led to incorrect results for some inputs
• CI now runs against PHP 8.1