On Thu, Jan 7, 2016 at 10:52 AM, Rouven Weßling <m...@rouvenwessling.de> wrote: > Hi Scott, > > questions inline. > >> On 07 Jan 2016, at 14:26, Scott Arciszewski <sc...@paragonie.com> wrote: >> >> I've updated the RFC to make libsodium a core PHP extension in 7.1, to >> include references to the online documentation. >> >> https://wiki.php.net/rfc/libsodium > > I know this is made difficult by the fact that this is an existing, stable > PECL extension, which also supports older PHP versions but I don’t think it’s > a good idea to introduce more functions that duplicate things handled already > in core (I don’t mean in ext-openssl as lib sodium would be an alternative to > that extension). I’d rather see less duplication, not more. > > From a quick glance the following functions seems to be already covered: > \Sodium\memcmp > \Sodium\bin2hex > \Sodium\hex2bin > \Sodium\randombytes_buf > \Sodium\randombytes_uniform > \Sodium\randombytes_random16 > > If their implementation is better than the core implementation, core should > be fixed. > > Do the hashing functions have any advantage over those provided by ext-hash? > > There are also a couple of other functions whose value I’d question, I’ll > send an email about those later. > >> This is part of an overall effort to improve PHP's cryptography; up >> next will be the pluggable crypto API that supports multiple backends >> (with a scope limited to openssl and libsodium at the time of release) >> but always provide conservative defaults. > > A more general question: I haven’t looked at your prototype for a higher > level API yet, but I’m wondering if it’s still necessary to introduce another > low level API? When would I choose to use the latter? > > Best regards > Rouven
The high-level API ties the user's hands and doesn't give them direct access to primitives. You can't use it for AES-256-ECB, you can only use it for AES-256-CTR+HMAC-SHA-384, with an encoded and version-tagged output, for example. You still need ext/libsodium if you need to use any of its features directly, such as \Sodium\memzero(). Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
