Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:102041 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56292 invoked from network); 14 Apr 2018 21:54:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Apr 2018 21:54:08 -0000 Authentication-Results: pb1.pair.com header.from=alice@librelamp.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=alice@librelamp.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain librelamp.com designates 45.79.96.192 as permitted sender) X-PHP-List-Original-Sender: alice@librelamp.com X-Host-Fingerprint: 45.79.96.192 librelamp.com Received: from [45.79.96.192] ([45.79.96.192:48488] helo=librelamp.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C5/59-36099-A7872DA5 for ; Sat, 14 Apr 2018 17:54:06 -0400 Received: from localhost.localdomain (unknown [IPv6:2600:1010:b06b:8d62:b30e:1cd2:a6cc:41ae]) by librelamp.com (Postfix) with ESMTPSA id 33D016DE for ; Sat, 14 Apr 2018 21:53:59 +0000 (UTC) To: internals@lists.php.net Message-ID: <3ee48a4e-1fe0-7054-9930-0d5a103b980f@librelamp.com> Date: Sat, 14 Apr 2018 14:53:58 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: php and argon2 From: alice@librelamp.com (Alice Wonder) In this RFC https://wiki.php.net/rfc/argon2_password_hash It looks like Argon2i is now implemented in PHP with the password_* functions (though requires a compile flag ???) Since the sodium extensions used the Argon2id variant by default, would it be prudent to make sure the php password_* functions can *verify* 2d and 2id variant hashes, even if it does not set them by default? Real world scenario - WordPress plugin I am working on uses libsodium for WordPress password management, upgrading users to Argon2id hashes as the log in. But if that plugin is every removed, those users with upgraded hashes then have to do a forgotten password reset because WordPress and PHP native functions don't know what to do with a Argon2id hash. But if PHP knew what to do with it natively, then maybe at least WordPress installs on a new enough version of PHP wouldn't have an issue when this plugin is installed and then at a later date removed. Anyway it just seems to me that if even if Argon2i is the only supported variant for creating hashes, if the argon2 libraries are going to be linked against, it wouldn't be a bad idea to support validating all three of the argon2 variants.