Support progressive hashing about phpseclib HOT 11 OPEN

Ya know... I had never even thought of that lol. But you're right - that's a really good idea!

from phpseclib.

This especially allows you to hash data that comes from the network and goes onto the disk with low memory usage.

from phpseclib.

So in terms of an API I could do hash($string) and hashFile($filename) but that wouldn't support data that comes from the network and maybe goes to /dev/null. I guess I could do something like setContinuousMode() for hashing like I do for the various symmetric ciphers.

What do you think?

from phpseclib.

Yes, neither hash() nor hashFile() are sufficient. Even if you end up storing data on disk, you don't want to reread it just to calculate the hash.

$hasher = new Crypt_Hash('sha256');

$digestOfFile = $hasher->hashFile($filename);
$digestOfString = $hasher->hash($string);

// Progressive
$hasher->update('Msg1');
$hasher->update('Msg2');
$hasher->update('Msg3');
$result = $hasher->hash(); // hash without argument or finalize()

Inspired by http://code.google.com/p/crypto-js/#Progressive_Hashing

Not sure whether setContinuousMode() would be a better idea. Maybe it is for consistency.

from phpseclib.

I would like to 👍 this issue.

I'm trying to validate the signature of a phar, without the phar or openssl extensions, that was signed using a private key.

from phpseclib.

Reading up on the phar signature format it doesn't look like they make use of public key crypto?

Here's a tool I wrote that'll verify hashes of a phar without progressive hashing:

<?php
include('Crypt/Hash.php');

$content = file_get_contents('composer.phar');

if (substr($content, -4) != 'GBMB') {
    exit('no signature present');
}

switch (substr($content, -8, 4)) {
    case "\x01\0\0\0": // md5
        echo bin2hex(substr($content, -20, 16)) . "\r\n";

        $hash = new Crypt_Hash('md5');
        echo bin2hex($hash->hash(substr($content, 0, -20)));
        break;
    case "\x02\0\0\0": // sha1
        echo bin2hex(substr($content, -28, 20)) . "\r\n";

        $hash = new Crypt_Hash('sha1');
        echo bin2hex($hash->hash(substr($content, 0, -28)));
        break;
    case "\x04\0\0\0": // sha256
        echo bin2hex(substr($content, -40, 32)) . "\r\n";

        $hash = new Crypt_Hash('sha256');
        echo bin2hex($hash->hash(substr($content, 0, -40)));
        break;
    case "\x08\0\0\0": // sha512
        echo bin2hex(substr($content, -72, 64)) . "\r\n";

        $hash = new Crypt_Hash('sha512');
        echo bin2hex($hash->hash(substr($content, 0, -64)));
}

For really large phar's I could def see how progressive hashing would be useful though..

from phpseclib.

You can find an example here.

I currently use Crypt_RSA->verify(), but I have to read the entire phar (except the signature, signature size/type, and GBMB flag). The problem with this approach is that I have to assume that my user has set memory_limit to a big enough value to hold a large phar.

from phpseclib.

Also see PHP functions hash_init(), hash_update() and hash_final() etc.
http://www.php.net/manual/en/ref.hash.php

from phpseclib.

The problem with PHP progressive hashing is that the hashing process can bot be interrupted and resumed in another PHP process. This is because there is no way to get the current state of a hash without finalising it. This is pretty bad for calculating a checksum of a file that is uploaded in chunks.

from phpseclib.

Also see https://github.com/bantuXorg/php-stream-filter-hash

from phpseclib.

For the php5 / 2.0 branch we can prob refactor / greatly simplify Crypt_Hash quite a bit. Remove mhash, the internal implementations of sha256, sha512, etc.

from phpseclib.