PHP showing its maturity in release 7.4

Posted May 5, 2020 3:31 UTC (Tue) by jkingweb (subscriber, #113039)
Parent article: PHP showing its maturity in release 7.4

I often see sodium being touted as a major feature of PHP 7.2, and yet with PHP 8.0 around the corner, the sodium extension still has practically no documentation. I understand that the libsodium documentation itself can (and should) be used as a reference, but that doesn't excuse PHP from documenting its interface to it. It has always felt to me as if the promise of easier cryptography in PHP is seriously undermined by this omission.

PHP showing its maturity in release 7.4

Posted May 5, 2020 12:45 UTC (Tue) by ThePandaman (guest, #138628) [Link]

I believe the easiest and most popular way to handle the libsodium-extension is to use the Halite-library by the people of the Paragon Initiative.

They wrap around the extension with easy to use classes with good documentation on when to use which functions.

PHP showing its maturity in release 7.4

Posted May 5, 2020 12:54 UTC (Tue) by WolfWings (subscriber, #56790) [Link] (1 responses)

And honestly 3/4ths of the LibSodium PHP extension documentation should be "Don't use this except for backwards compatibility with older code. Use function X instead." as well, it's essentially an "FFI before FFI" extension already which means it's exposing all of the functions that muddle up the waters.

The huge swath of aead_* functions should be ignored entirely by the supermajority of PHP devs for instance, just use secretbox, box, or seal instead. There's a lot of 'helper' functions that with the PHP interface they've been given are also entirely redundant compared to the built-in PHP functions as well like the duplicate bin2hex and it's ilk as well. Some like the memcmp exist to avoid side-channel attacks, but a lot of the conversion helper functions don't benefit from being exposed except to add additional functions to the extension to (not) document in over 2.5 years now.

PHP showing its maturity in release 7.4

Posted May 6, 2020 17:53 UTC (Wed) by coogle (guest, #138507) [Link]

I think libsodium is an excellent example and agree with you on how FFI can make a real impact on the PHP ecosystem! It's so massive of an extension however I didn't want to start trying to decide which functions are for "backward compatibility" though when it came to crypto, so I omitted the comparison. I know when I've personally used ext/sodium I have discovered the relatively few functions I actually needed to do the job properly (after a considerable amount of digging).

Like I said in the article, it's really going to be interesting to see what hosting providers do here because they are going to make or break it IMO. If cheap WordPress hosts make libsodium.so available (along with all the others) I think it's going to really change PHP for the better long-term.