Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90258 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 20308 invoked from network); 7 Jan 2016 15:57:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Jan 2016 15:57:34 -0000 Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain paragonie.com from 209.85.215.54 cause and error) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.215.54 mail-lf0-f54.google.com Received: from [209.85.215.54] ([209.85.215.54:36808] helo=mail-lf0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 82/32-09042-DEA8E865 for ; Thu, 07 Jan 2016 10:57:34 -0500 Received: by mail-lf0-f54.google.com with SMTP id z124so329862863lfa.3 for ; Thu, 07 Jan 2016 07:57:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=knuHDGWBxHIoZZZFbpLP0aTlMFj0rM3ul+SXVk2O5p8=; b=LGssxJ1WoLoB+3A5X2UJBGedJHiuIyTq8qhztHC5qEgq1kwBRS/OWaMopSSom4MDTn L+R10d/YIl17a6iK/pZ0BLROXi1MCxpU3EoN5hYA2PFnep+s7euuc0OU9NuB6uv62J9L wGCASXFaZ/zFDWpp5PmNMM/szGC9ZVqy+his1WyysENnxO00FT6E0PyAJxRm0/INgnDp CXqaNnHkLskhvqpNB0OPrH9OtAGlNOFJaWeaLbvB9DjqoUpX+UFHNPbK9/Vz/vbQmyd+ YvDKQtzbgUOih68khzpsXVSzOpMOAa4jRVkwGl5asziCWqVTuBXVmDi6sEEB5EIqUJTb KSSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=knuHDGWBxHIoZZZFbpLP0aTlMFj0rM3ul+SXVk2O5p8=; b=REQ7CLNUn63ItaWqAqTr0eclN5nIlAOwIFIhL+e25TiPxFIxQ98GiUKKOzL3dIg8ar U2mHx3X1GqkSC29evB6IFBJW1ozOMYFTL0rBz1zrX7z71D+ZwfLPQ1UShAYwJvZ9Ah9A WhSnlTu1o1lRdCwi21m2iAvbaUvIAacd16126b3EMhgj3wK5CCDRdDYOCtagx2lAZ//s 2gblR/AuqeGSlj4uJGtq0qX5zWA8REqfh+JXigkQLBN7oqhCD6nUJZhFPnVxqRvchG+f 4KTmePoxjpJ8cRrCdagXWL9YqjynEYmqin07It1Rxq7oOclTc6mj1oN33ffNlZae7q5j 79og== X-Gm-Message-State: ALoCoQkc7b9E7zbi7YV4rmoXOuZGp9s1ZqqertPmbLGNl3igZJ/nnNkI0eRjv73OkpVroKtxUUiK2QW3JexclJPZK57S+J2ZQA== MIME-Version: 1.0 X-Received: by 10.25.83.193 with SMTP id h184mr18133203lfb.6.1452182250532; Thu, 07 Jan 2016 07:57:30 -0800 (PST) Received: by 10.114.160.13 with HTTP; Thu, 7 Jan 2016 07:57:30 -0800 (PST) In-Reply-To: References: <1DDB3D90-2293-417F-9723-3691CC9DBCED@rouvenwessling.de> Date: Thu, 7 Jan 2016 10:57:30 -0500 Message-ID: To: =?UTF-8?Q?Rouven_We=C3=9Fling?= Cc: PHP Internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC] Libsodium From: scott@paragonie.com (Scott Arciszewski) On Thu, Jan 7, 2016 at 10:54 AM, Scott Arciszewski wr= ote: > On Thu, Jan 7, 2016 at 10:52 AM, Rouven We=C3=9Fling wrote: >> Hi Scott, >> >> questions inline. >> >>> On 07 Jan 2016, at 14:26, Scott Arciszewski wrote= : >>> >>> I've updated the RFC to make libsodium a core PHP extension in 7.1, to >>> include references to the online documentation. >>> >>> https://wiki.php.net/rfc/libsodium >> >> I know this is made difficult by the fact that this is an existing, stab= le PECL extension, which also supports older PHP versions but I don=E2=80= =99t think it=E2=80=99s a good idea to introduce more functions that duplic= ate things handled already in core (I don=E2=80=99t mean in ext-openssl as = lib sodium would be an alternative to that extension). I=E2=80=99d rather s= ee less duplication, not more. >> >> From a quick glance the following functions seems to be already covered: >> \Sodium\memcmp >> \Sodium\bin2hex >> \Sodium\hex2bin >> \Sodium\randombytes_buf >> \Sodium\randombytes_uniform >> \Sodium\randombytes_random16 >> >> If their implementation is better than the core implementation, core sho= uld be fixed. >> >> Do the hashing functions have any advantage over those provided by ext-h= ash? >> >> There are also a couple of other functions whose value I=E2=80=99d quest= ion, I=E2=80=99ll send an email about those later. >> >>> This is part of an overall effort to improve PHP's cryptography; up >>> next will be the pluggable crypto API that supports multiple backends >>> (with a scope limited to openssl and libsodium at the time of release) >>> but always provide conservative defaults. >> >> A more general question: I haven=E2=80=99t looked at your prototype for = a higher level API yet, but I=E2=80=99m wondering if it=E2=80=99s still nec= essary to introduce another low level API? When would I choose to use the l= atter? >> >> Best regards >> Rouven > > The high-level API ties the user's hands and doesn't give them direct > access to primitives. You can't use it for AES-256-ECB, you can only > use it for AES-256-CTR+HMAC-SHA-384, with an encoded and > version-tagged output, for example. > > You still need ext/libsodium if you need to use any of its features > directly, such as \Sodium\memzero(). > > Scott Arciszewski > Chief Development Officer > Paragon Initiative Enterprises To clarify: You can swap out AES-256 for AES-192, or SHA-384 for SHA-256, e= tc. You cannot swap out the protocol construction for anything other than Encrypt then MAC. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises