Re: [RFC] Libsodium
Hi Scott,
questions inline.
> On 07 Jan 2016, at 14:26, Scott Arciszewski <[email protected]> wrote:
>
> I've updated the RFC to make libsodium a core PHP extension in 7.1, to
> include references to the online documentation.
>
> https://wiki.php.net/rfc/libsodium
I know this is made difficult by the fact that this is an existing, stable PECL extension, which
also supports older PHP versions but I don’t think it’s a good idea to introduce more functions
that duplicate things handled already in core (I don’t mean in ext-openssl as lib sodium would be
an alternative to that extension). I’d rather see less duplication, not more.
From a quick glance the following functions seems to be already covered:
\Sodium\memcmp
\Sodium\bin2hex
\Sodium\hex2bin
\Sodium\randombytes_buf
\Sodium\randombytes_uniform
\Sodium\randombytes_random16
If their implementation is better than the core implementation, core should be fixed.
Do the hashing functions have any advantage over those provided by ext-hash?
There are also a couple of other functions whose value I’d question, I’ll send an email about
those later.
> This is part of an overall effort to improve PHP's cryptography; up
> next will be the pluggable crypto API that supports multiple backends
> (with a scope limited to openssl and libsodium at the time of release)
> but always provide conservative defaults.
A more general question: I haven’t looked at your prototype for a higher level API yet, but I’m
wondering if it’s still necessary to introduce another low level API? When would I choose to use
the latter?
Best regards
Rouven
Thread (25 messages)