Comments (11)
Ya know... I had never even thought of that lol. But you're right - that's a really good idea!
from phpseclib.
This especially allows you to hash data that comes from the network and goes onto the disk with low memory usage.
from phpseclib.
So in terms of an API I could do hash($string) and hashFile($filename) but that wouldn't support data that comes from the network and maybe goes to /dev/null. I guess I could do something like setContinuousMode() for hashing like I do for the various symmetric ciphers.
What do you think?
from phpseclib.
Yes, neither hash() nor hashFile() are sufficient. Even if you end up storing data on disk, you don't want to reread it just to calculate the hash.
$hasher = new Crypt_Hash('sha256');
$digestOfFile = $hasher->hashFile($filename);
$digestOfString = $hasher->hash($string);
// Progressive
$hasher->update('Msg1');
$hasher->update('Msg2');
$hasher->update('Msg3');
$result = $hasher->hash(); // hash without argument or finalize()
Inspired by http://code.google.com/p/crypto-js/#Progressive_Hashing
Not sure whether setContinuousMode()
would be a better idea. Maybe it is for consistency.
from phpseclib.
I would like to 👍 this issue.
I'm trying to validate the signature of a phar, without the phar
or openssl
extensions, that was signed using a private key.
from phpseclib.
Reading up on the phar signature format it doesn't look like they make use of public key crypto?
Here's a tool I wrote that'll verify hashes of a phar without progressive hashing:
<?php
include('Crypt/Hash.php');
$content = file_get_contents('composer.phar');
if (substr($content, -4) != 'GBMB') {
exit('no signature present');
}
switch (substr($content, -8, 4)) {
case "\x01\0\0\0": // md5
echo bin2hex(substr($content, -20, 16)) . "\r\n";
$hash = new Crypt_Hash('md5');
echo bin2hex($hash->hash(substr($content, 0, -20)));
break;
case "\x02\0\0\0": // sha1
echo bin2hex(substr($content, -28, 20)) . "\r\n";
$hash = new Crypt_Hash('sha1');
echo bin2hex($hash->hash(substr($content, 0, -28)));
break;
case "\x04\0\0\0": // sha256
echo bin2hex(substr($content, -40, 32)) . "\r\n";
$hash = new Crypt_Hash('sha256');
echo bin2hex($hash->hash(substr($content, 0, -40)));
break;
case "\x08\0\0\0": // sha512
echo bin2hex(substr($content, -72, 64)) . "\r\n";
$hash = new Crypt_Hash('sha512');
echo bin2hex($hash->hash(substr($content, 0, -64)));
}
For really large phar's I could def see how progressive hashing would be useful though..
from phpseclib.
You can find an example here.
I currently use Crypt_RSA->verify()
, but I have to read the entire phar (except the signature, signature size/type, and GBMB flag). The problem with this approach is that I have to assume that my user has set memory_limit
to a big enough value to hold a large phar.
from phpseclib.
Also see PHP functions hash_init(), hash_update() and hash_final() etc.
http://www.php.net/manual/en/ref.hash.php
from phpseclib.
The problem with PHP progressive hashing is that the hashing process can bot be interrupted and resumed in another PHP process. This is because there is no way to get the current state of a hash without finalising it. This is pretty bad for calculating a checksum of a file that is uploaded in chunks.
from phpseclib.
Also see https://github.com/bantuXorg/php-stream-filter-hash
from phpseclib.
For the php5 / 2.0 branch we can prob refactor / greatly simplify Crypt_Hash quite a bit. Remove mhash, the internal implementations of sha256, sha512, etc.
from phpseclib.
Related Issues (20)
- Undefined variable $name in function addFileFormat HOT 2
- CVE-2023-48795 - Terrapin Vulnerability HOT 3
- Unintended change causes lint failing in dependent packages with latest v3.0.35 HOT 1
- Notice: Trying to access array offset on value of type bool in /src/vendor/phpseclib/phpseclib/phpseclib/Net/SFTP.php on line 2132 HOT 1
- a HOT 1
- Server Terminates Connection HOT 8
- add ssh3 support for faster connection HOT 1
- Using OpenSSH private key results in openssl_sign() - supplied key param cannot be coerced into a private key HOT 4
- `SFTP::put()` fails silently with no provided error information if path does not exist HOT 5
- ElGamal ECC encryption HOT 1
- Parse error: syntax error, unexpected 'const' (T_CONST), expecting variable (T_VARIABLE) HOT 5
- Issue with isConnected/isAuthenticated after remote terminal restart HOT 5
- openssl_x509_check_private_key always return cert and privatekey mismatch HOT 2
- SSH2 exec crashes while returning data & "Please close the channel (1) before trying to open it again" HOT 9
- Semantic versioning? HOT 13
- Add setPaddable func at the SymmetricKey class? HOT 2
- 2.0.47 is a breaking change | `AES::setKey` interface changed HOT 1
- Server crashes before NET_SSH2_MSG_KEXDH_REPLY HOT 2
- SSH2: Decryption Failures During Read HOT 7
- Load ASN.1 private key to generate an RSA signature HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from phpseclib.