Possibility of using libsodium instead of OpenSSL for Encryption

[benjamindoe]

Paragon Initiative are big advocates for libsodium (https://paragonie.com/blog/2015/09/how-to-safely-implement-cryptography-in-any-application)

As Sodium is now bundled with PHP 7.2 (https://www.php.net/manual/en/sodium.installation.php) It may be a good idea to switch to libsodium for the underlying technology for the Encrypter.

This blog post below highlights how it is always better to use libraries that are written by security experts.
https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-your-php-project-guide

There are a couple of options here, implement libsodium directly using the PHP extension or build a wrapper than extends another library, similar to how illuminate/filesystem builds on Flysystem.

[pgrenaud]

I was reading PHP's RFCs yesterday and I though about the same thing. Libsodium (NaCl implementation) has been integrated into PHP since 7.2. And looking at the next Laravel release, it seems that the minimum required version will be increase to 7.3, so no compatibility issue here.

Beside the work required to integrate Libsodium as an option or to replace OpenSSL entirely, I don't see any reason not to do it. It also seems that Paragon provides a PHP library/interface for Libsodium: https://github.com/paragonie/halite

[mfn]

I don't see any reason not to do it

I'm not arguing against anything (I love progress 😄 ) but I can see the why: libsodium makes things really really accessible for the masses, they're doing a great service to the community.

But, I guess, unless there's a serious flaw in the current implementation and assuming you know exactly what you're doing with openssl, you could argue "everything is fine 🔥 " and just "don't need it" 🤷‍♀️

(personally I would use libsodium any day because I know otherwise I would just shoot myself in the foot)