Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103322
Return-Path: <rowan.collins@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86715 invoked from network); 16 Oct 2018 17:30:22 -0000
Received: from unknown (HELO mail-it1-f196.google.com) (209.85.166.196)
  by pb1.pair.com with SMTP; 16 Oct 2018 17:30:22 -0000
Received: by mail-it1-f196.google.com with SMTP id c23-v6so33127291itd.5
        for <internals@lists.php.net>; Tue, 16 Oct 2018 06:43:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=K/SyJWsp5WH11i1/lLpRo1A0NDq8l83fHtZf9SHrUqs=;
        b=HcW/8v3mLqHW8nabHGrklvOyeiazU/uwG9pmZ6yRcsLI0NcNo9RX4wh1jQlmacEfeX
         Uoy1BfGOGplQxyApZvvKvpirS+hLC7A2HBC/j2Aq0p681IUcvvFBtKIcQjvEc9SFyLgU
         8UWPN3lAUhVPM+wOMsrFZsk0xBpV1hypCIKmvL/5HL44ClRxGSbXbcYjUSZeDHJ8TSf/
         WB34zvpvxMCtTMsZHCb3DDA9HI2HjyxRq2y7lMPMsqxiGS9M0t7aPF8GW8OZJcLL22Iv
         LELpPzQv2Npapl9h1yNG/15x6XIjyYw6m5twLDyk5PHSyOthFXRvQB5seNXjel0cJvYr
         ZugQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=K/SyJWsp5WH11i1/lLpRo1A0NDq8l83fHtZf9SHrUqs=;
        b=BML0qFo6EXwsEok2RepbpiYYgHi4bblaLVXcxgQ5xW1nuuSFjWR5KJk5BuZFZTivY+
         jND3tPfIEaBjxo5XT/opDpIkjj4bbKMW/IA+Ma1tZwCdOhVH0ec7px1Xi5rSs77lU6JS
         IDpbT6tsvUd7oOnCsIkS8DJxm584CdZe0Pj7k5awYNlk/8rHUZ3HFZGQpZkv9DWmgUX2
         S1H+k7XoM8KXMsb1BE0Bfj8bFQ7MkOshsDPzMyYzmwyXLoclUBQov10r/wVYKOumhFYV
         SBVjiC86KifCVrly0Aw8fYJomOrv1SCjKkJ7bKq3xErj0Sv+40ioITa12fTID7kd9Mdm
         OQ7A==
X-Gm-Message-State: ABuFfoiflao2PldBuF/7AO4DozfBksek8uHkd1eKqR00hffQq/INTH73
	mt8Zl/qrGgYtT54HnV5X2wr7Pg51BiSw1TblLjc8ac3o
X-Google-Smtp-Source: ACcGV61k9Alx5cYHcldOO1vLUJi+qKUHC6hpskSkg/q3ED/Ri4mjyg/VKwZv/o77r/ROMPMOCNUYOhxID+bI7OexLIc=
X-Received: by 2002:a02:2405:: with SMTP id f5-v6mr16678416jaa.113.1539697410764;
 Tue, 16 Oct 2018 06:43:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAESVnVq-oQreEyNDQZPWJ+fxuXs_66WWBTywRii7AFEFjqxBNQ@mail.gmail.com>
In-Reply-To: <CAESVnVq-oQreEyNDQZPWJ+fxuXs_66WWBTywRii7AFEFjqxBNQ@mail.gmail.com>
Date: Tue, 16 Oct 2018 14:43:19 +0100
Message-ID: <CALKiJKrhB9pKtdF=PdBwrJB-81QLCGtr1TKF6rQ0p8XtGhFrrA@mail.gmail.com>
To: Sara Golemon <pollita@php.net>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000003af567057858bd92"
Subject: Re: [PHP-DEV] Password Digest Registry
From: rowan.collins@gmail.com (Rowan Collins)

--0000000000003af567057858bd92
Content-Type: text/plain; charset="UTF-8"

On Tue, 16 Oct 2018 at 13:48, Sara Golemon <pollita@php.net> wrote:

> I don't consider the current internal API proposal fixed,
> particularly, I'm not too keen on the algorithm identification.  What
> I've presented is a callback for a mechanism to say "Yes, I can verify
> that signature", but this means we must ask all mechanisms.  A more
> direct means might involve "search for /^\$mechanismName\$/, but not
> only is this already insuffcient for bcrypt (identified by $2y$), but
> it'll probably be worse later on.  If anyone has better ideas here,
> I'm totes open.



As I understand it, the purpose of the $foo$ syntax is to uniquely identify
each algorithm, so would it make sense to pass the prefix string to the
register call, and maintain a lookup table internally of prefix => handler?

 struct php_password_algo {
    const char* name; // Symbolic name of the algorithm, e.g. "argon2id"
    const char* prefix; // Prefix used for hashes in this algorithm, e.g. "2y"
    zend_string* (*hash)(const zend_string* password, zend_array* options);
    zend_bool (*verify)(const zend_string* password, const zend_string* hash);
    zend_bool (*needs_rehash)(const zend_string* hash, zend_array *options);
    int (*get_info)(zval *return_value, const zend_string* hash);
}


If an extension wants to reuse an implementation for more than one prefix
(e.g. minor variations in algorithm) it can just register multiple
"handlers" which happen to have the same function pointers; and if multiple
extensions try to register for the same prefix, the error can be detected
immediately at startup.

Determining the algorithm would then involve extracting the prefix from the
hash and looking it up in the registry.

You mention ext/sodium checking if ext/standard has already registered some
or all of its algorithms, but don't specify a method to do so; if the
registry was prefix-oriented, there could be a standard API such as:

PHPAPI const php_password_algo* php_password_algo_for_prefix(const
char* prefix);

Or simply:

PHPAPI zend_bool php_password_algo_is_registered(const char* prefix);


Regards,
-- 
Rowan Collins
[IMSoP]

--0000000000003af567057858bd92--