Differences

This shows you the differences between two versions of the page.

--- rfc:secure_serialization [2015/12/30 20:03] – yohgaki
+++ rfc:secure_serialization [2018/03/01 23:18] (current) – RFC is Under Discussion carusogabriel
@@ Line 3: / Line 3: @@
   * Date: 2015-12-30
   * Author: Yasuo Ohgaki <yohgaki@php.net>
-  * Status: Draft
+  * Status: Under Discussion
   * First Published at: http://wiki.php.net/rfc/secure_serialization
@@ Line 20: / Line 20: @@
 ===== Proposal =====
-  * Add secure_serialize() and secure_unserialize() supports message authentication code generation/validation and expiration.
+  * Add serialize_mhac() and unserialize_mhac() supports message authentication code generation/validation and expiration.
 <code php>
-  string secure_serialize(mixed $data_to_be_serialized , string $secret_key [, int $ttl=1800 [,bool $session_only=TRUE]])
+  string serialize_mhac(mixed $data_to_be_serialized , string $secret_key [, int $ttl=1800 [,bool $session_only=TRUE]])
-  mixed secure_unserialize(mixed $data_to_be_unserialized , mixed $secret_keys)
+  mixed unserialize_mhac(mixed $data_to_be_unserialized , mixed $secret_keys)
 </code>
-==== How secure_serialize() works ====
+==== How serialize_mhac() works ====
 Pseudo code
@@ Line 37: / Line 37: @@
     return FALSE;
   }
-  if ($ttl <= 0) {
+  if ($ttl < 0) {
     trigger_error('Invalid TTL');
     return FALSE;
   }
-  $ttl = time() + $ttl;
+  $ttl = $ttl ? time() + $ttl : 0;
   $session_only = $session_only ? TRUE : FALSE;
   // Use random key to randomize $mac
@@ Line 69: / Line 69: @@
-==== How secure_unserialize() works ====
+==== How unserialize_mhac() works ====
 Pseudo code
 <code php>
-function secure_unserialize(string $data_to_be_unserialized, mixed $secret_key) : mixed {
+function unserialize_mhac(string $data_to_be_unserialized, mixed $secret_key) : mixed {
   if (strlen($secret_key) < 32) {
     trigger_error('Too short secret key');
@@ Line 81: / Line 81: @@
   // Unserialize special format
   $tmp = __unserialize__($data_to_be_unserialized);
-  if ($tmp['ttl'] < time() {
+  if ($tmp['ttl'] && $tmp['ttl'] < time() {
     // Serialized data is expired
     return FALSE;
@@ Line 93: / Line 93: @@
       $mac = hash_hmac(
         'sha256',
-        $tmp['ttl'].$tmp['key'].sha256($secret_key.session_id()).$tmp['data'],
+        $tmp['ttl'].$tmp['key'].sha256($k.session_id()).$tmp['data'],
         $k);
     } else {
@@ Line 101: / Line 101: @@
         $k);
     }
+    if ($mac !== $tmp['mac']) {
+       continue;
+    }
+    // Unserialize data normally and return
+    return unserialize($tmp['data']);
   }
+  return FALSE;
-  if ($mac !== $tmp['mac']) {
-    return FALSE;
-  }
-  // Unserialize data normally and return
-  return unserialize($tmp['data']);
 }
 </code>
@@ Line 158: / Line 158: @@
 If session module stores old session ID, automatic fallback to old session ID may be supported.
-Compatibility functions for older releases may be implemented as PHP script.
+Encryption is more secure than authentication code. Implement serialize_crypt/unserialize_crypt when standard encryption module is introduced.
 ===== Proposed Voting Choices =====

Differences

Page Tools