Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103326 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 7975 invoked from network); 18 Oct 2018 17:41:58 -0000 Received: from unknown (HELO mail-qk1-f176.google.com) (209.85.222.176) by pb1.pair.com with SMTP; 18 Oct 2018 17:41:58 -0000 Received: by mail-qk1-f176.google.com with SMTP id x11-v6so1531085qkl.7 for ; Thu, 18 Oct 2018 06:55:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=4/ffI13B2KzqhIj6FssKuMe1EToXXdiBD2J0BISKXag=; b=mKFMpIsbD6vFYVas0nKGVuUHx2+X6vhdWlHwn5NVW8JMDCRy29xMrFZT4QMkXmLViy orjq71FOA1suFzbrgy0FklJqsrXLF78Qgk/5Pf+ToIdFjdsAvKEsMeAApYRfXGMj7bWH UN5EF34z5XPttkaFVXbvZUpOKF1/0bFpxCi5dSAPyXpdXsVlZLKZBA3Tjz8qeCVb5TZA jHWif9x2yo7cwS1ogdUYWh4ibOqNb1iZj7BjsdpNECy8cTtprnSsz5HqF0Oh/yRG2SzR xt+MWUpSFiu9z7LBHclNsbFAZ6p4yMFKRKZ5qfUVHirZTD5lleyUow/BldvX6vQuEhNc Ihxg== X-Gm-Message-State: ABuFfohp3OC2u8nCIE2v1CkajZS1XL99rL3fQeeYZveCzSFLZZBUAr7R sRRbAiOCIr/ifkWhKBUzLUCKWPOqgDItXHI1yMdOvA== X-Google-Smtp-Source: ACcGV62Rkl71k80/H0P+iYkmsQMtBe4+gppbcjf67k+1L3JA6BrEFoIAMQZrD0lsUOQth7+LSfYTnVS7020NvdCJCXk= X-Received: by 2002:a37:e21a:: with SMTP id g26-v6mr28236470qki.330.1539870936780; Thu, 18 Oct 2018 06:55:36 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 18 Oct 2018 08:55:25 -0500 Message-ID: To: Rowan Collins Cc: PHP internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Password Digest Registry From: pollita@php.net (Sara Golemon) On Tue, Oct 16, 2018 at 11:54 AM Rowan Collins wr= ote: > On Tue, 16 Oct 2018 at 16:35, Sara Golemon wrote: >> On Tue, Oct 16, 2018 at 8:43 AM Rowan Collins = wrote: >> > As I understand it, the purpose of the $foo$ syntax is to uniquely ide= ntify >> > each algorithm, so would it make sense to pass the prefix string to th= e >> > register call, and maintain a lookup table internally of prefix =3D> h= andler? >> > >> If that's an assumption we can definitely make, then absolutely, that >> simplifies a lot of the design. When preparing this I wasn't 100% >> confident that this would hold true (maybe >> $foo${hashspecificstuff},v=3D1 is different from >> $foo${hashspecificstuff},v=3D2), and I didn't want to create a problem >> for future us. But I suppose we can always extend the protocol if it >> comes to that. > > I think encoding that assumption in PHP is following the general consensu= s, and in the absence of a stronger standard we're not obliged to follow an= implementation that varies from that consensus anyway. In other words, if = someone implements MyAwesomeHash as a C library that doesn't use a unique p= refix of the appropriate form, the PHP wrapper can always prepend $MyAwesom= eHash$ to the C library's output, and strip it off again when verifying. > Thanks for the research! I was hoping this was the case, I just hadn't managed to confirm it. Unfortunately, I just sat down to implement it and noticed that we have explicit test cases which verify that only hashes with a prefix of "$2y" *and* a length of precisely 60 are identified as bcrypt. So either we need to loosen that check (I'm trying to avoid BC breaks here), or we create additional identification logic. My personal take is that, given a preference for maintaining BC, we should should keep a more generalized ident callback, even though the fixed prefix is cleaner and more expedient. If we're willing to break some BC, then I'd *also* vote in favor of making the algo identifiers be strings instead of numbers. -Sara