I don't think there is time to get something finalised for 7.0, I certainly wouldn't want anything cryptography related to be rushed, so this is a pre-RFC discussion to gather ideas and opinions for something we can work towards in PHP 7.1 and that can live as a PECL extension between now and then.
I would like to propose a generic cryptographic framework is added into core. We already have a generic hashing framework in ext/hash that we are comitted to supporting and I think our users would benefit from having a set of widely used cryptographic functions available without having a to depend on external libraries or extensions. However this framework should also be extensible by third-party extensions. The preferred behaviour of an extension that provides a cipher or hash function would be to register it with the framework and then it would become available through the same methods as any of the built-in algorithms. This also provides a way of swapping underlying libraries without changing the way they are called, hopefully making problems such as the ones we're facing with mcrypt a thing of the past. The framework should provide as core features (in my opinion): * A set of built-in widely used and accepted ciphers. * A set of built-in widely used and accepted hashes and MACs. (ext/hash becomes part of this framework) * A portable high quality random number generator * Built-in interfaces for crypto-providing extensions to implement. * Crypto contexts as objects with familar init/update/final type methods. * Stream filters for enc/dec/hash/mac etc. that can take a crypto context object. * Easy to use one-shot functions that handle the context behind the scenes. There is obviously no work on an implementation yet, but I know Jakub has already spent a lot of time on the php-crypto objective OpenSSL wrapper. I think a lot of his work would be very useful for bootstrapping a generic framework project. Lets try and avoid discussions on names and syntax, that can wait. I'd really welcome any and all feedback on this as a proposal, with a view to starting a project to give us a stable and maintainable foundation for the future. Would this be considered a valuable addition? Is it possible to provide a succinct API for the overwhelming majority of peoples crypto needs? Are there any major concerns about this type of framework being added? Does anyone think this is the wrong approach entirely (and have a better idea!)? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
