Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90257
Return-Path: <scott@paragonie.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 18227 invoked from network); 7 Jan 2016 15:54:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Jan 2016 15:54:55 -0000
Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain paragonie.com from 209.85.217.174 cause and error)
X-PHP-List-Original-Sender: scott@paragonie.com
X-Host-Fingerprint: 209.85.217.174 mail-lb0-f174.google.com  
Received: from [209.85.217.174] ([209.85.217.174:36432] helo=mail-lb0-f174.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A2/B1-09042-E4A8E865 for <internals@lists.php.net>; Thu, 07 Jan 2016 10:54:55 -0500
Received: by mail-lb0-f174.google.com with SMTP id oh2so210048071lbb.3
        for <internals@lists.php.net>; Thu, 07 Jan 2016 07:54:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=MkAZRv2csCekJ80UIE3UB3dxtggtTiDPXTe/M0q5Xos=;
        b=F1bG45mrl5hn/jAfYrRDHqUQB7sekW9ZEuKqW9MTdFeWaKOC3ksOTt7w4kg89c/bTL
         1YgEeWR+lnXl0qlTFTxDqG3Z5CyC1E8QKu5EDD1g9cnqp5QcYnIiZgrvkut9GwopfRho
         /5+TP/xm+grgKJOfna7S2Sr1xmkiOZkTJUbKbQq9O4X9MqpD/LVQVfbluRXOsyn5qoaw
         WALPdr2hO5GC+Jw86q2M8/HGsvzyT5+jAO3yy5Z3no+avWJ+K4bteyNZzplvbg8scOHh
         6cvG5P8JSY2YyE+kW4edW3VCoNrvzf8Rvf0dftzLHCyLI6Z+p2s/5Q79pfMAQFWTXi13
         C+HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type
         :content-transfer-encoding;
        bh=MkAZRv2csCekJ80UIE3UB3dxtggtTiDPXTe/M0q5Xos=;
        b=NZbCHMLs/i/6cq4jGwQh+PX6hTcBu7GIBu/nlkZeeArHl3IyA2GrLj0jSjEeNfeloj
         g4JgLx08w5M4g423r6MDUWuS6oQg3UYC/404PQ7VLE6ilyLQnakhRvWTC5YL33+8SU04
         vUsRfN2H7aJG833CzmWDDLEEFzMwyLbYuwOgvyR1KuCtfVj/s2craW/AGb6Bkg8q+AYZ
         kSHNxjC17TjaGK+M7d+6LHyg7/6WjbNSVV6TI1v0Bj//xNpkQgo+Xmym81VCy99VJywC
         OlNwX5vwby4OrLzRhVPgvvAyEtMNnhu9BfMrc/TAVqrbL6x4VnR3GHU3U/EKv53UEQTc
         lzwg==
X-Gm-Message-State: ALoCoQmDA4evWibvd5X1+hSLXprl89pPtsByJpA6KFZLc4dW+Yv1CQVF70DEEYEyOT94tz1iJF2x17i+K900yAiV1pfRSlBcwA==
MIME-Version: 1.0
X-Received: by 10.112.181.196 with SMTP id dy4mr21623438lbc.42.1452182091920;
 Thu, 07 Jan 2016 07:54:51 -0800 (PST)
Received: by 10.114.160.13 with HTTP; Thu, 7 Jan 2016 07:54:51 -0800 (PST)
In-Reply-To: <1DDB3D90-2293-417F-9723-3691CC9DBCED@rouvenwessling.de>
References: <CAKws9z1g24rD=t92+9xKtO=3PuwQ3_N=L36gmVMqCC84CoqipQ@mail.gmail.com>
	<1DDB3D90-2293-417F-9723-3691CC9DBCED@rouvenwessling.de>
Date: Thu, 7 Jan 2016 10:54:51 -0500
Message-ID: <CAKws9z3Y=07biir8X4H9RE3ce_WVJtGyXNTerx_7T_XfYKs_Hw@mail.gmail.com>
To: =?UTF-8?Q?Rouven_We=C3=9Fling?= <me@rouvenwessling.de>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC] Libsodium
From: scott@paragonie.com (Scott Arciszewski)

On Thu, Jan 7, 2016 at 10:52 AM, Rouven We=C3=9Fling <me@rouvenwessling.de>=
 wrote:
> Hi Scott,
>
> questions inline.
>
>> On 07 Jan 2016, at 14:26, Scott Arciszewski <scott@paragonie.com> wrote:
>>
>> I've updated the RFC to make libsodium a core PHP extension in 7.1, to
>> include references to the online documentation.
>>
>> https://wiki.php.net/rfc/libsodium
>
> I know this is made difficult by the fact that this is an existing, stabl=
e PECL extension, which also supports older PHP versions but I don=E2=80=99=
t think it=E2=80=99s a good idea to introduce more functions that duplicate=
 things handled already in core (I don=E2=80=99t mean in ext-openssl as lib=
 sodium would be an alternative to that extension). I=E2=80=99d rather see =
less duplication, not more.
>
> From a quick glance the following functions seems to be already covered:
> \Sodium\memcmp
> \Sodium\bin2hex
> \Sodium\hex2bin
> \Sodium\randombytes_buf
> \Sodium\randombytes_uniform
> \Sodium\randombytes_random16
>
> If their implementation is better than the core implementation, core shou=
ld be fixed.
>
> Do the hashing functions have any advantage over those provided by ext-ha=
sh?
>
> There are also a couple of other functions whose value I=E2=80=99d questi=
on, I=E2=80=99ll send an email about those later.
>
>> This is part of an overall effort to improve PHP's cryptography; up
>> next will be the pluggable crypto API that supports multiple backends
>> (with a scope limited to openssl and libsodium at the time of release)
>> but always provide conservative defaults.
>
> A more general question: I haven=E2=80=99t looked at your prototype for a=
 higher level API yet, but I=E2=80=99m wondering if it=E2=80=99s still nece=
ssary to introduce another low level API? When would I choose to use the la=
tter?
>
> Best regards
> Rouven

The high-level API ties the user's hands and doesn't give them direct
access to primitives. You can't use it for AES-256-ECB, you can only
use it for AES-256-CTR+HMAC-SHA-384, with an encoded and
version-tagged output, for example.

You still need ext/libsodium if you need to use any of its features
directly, such as \Sodium\memzero().

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>