Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103329
Return-Path: <php@golemon.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15162 invoked from network); 18 Oct 2018 18:05:07 -0000
Received: from unknown (HELO mail-qt1-f182.google.com) (209.85.160.182)
  by pb1.pair.com with SMTP; 18 Oct 2018 18:05:07 -0000
Received: by mail-qt1-f182.google.com with SMTP id j46-v6so34374234qtc.9
        for <internals@lists.php.net>; Thu, 18 Oct 2018 07:18:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=DEHzUZkY4nhsSwqXFb8oTe8OrnwvUPkQfzlmqPsR6TA=;
        b=JKSee1NlgrS96LYggohzfsFfOfruwZ/bA6vTCTsg9T5LhkPckrFvk5oyO7fGUw5OJR
         Sb8S5+17Ss1UwTFKvpon4Iq06ySm7xLFnn+rVKKkQ1W2i6c7UuIoLUvc+DzQYtkh0hS1
         Og+9INFb0RmsTbKZ3CHUH8Aj4ktUC3Fyw7SCGi32IYi0EEZ0PsWYn/VrvYpz5npDjdoI
         3UtWp+FtspID3T4DuKrS9OFcd4UkOtkhAlAMDMNgvKZabYByonUaMSXR4xx5QXsJhki1
         bKRCGbRjx2gJNPGA/WzkIKkjhyoFbs6YmD315grLe6/igA2+2xdce6DjLCbfLjcB3Quf
         c3Ng==
X-Gm-Message-State: ABuFfojF04ATcWHwyTSFzTeG9hUd9QjVvgoNYQWhfkiBGzheBpxEzQZU
	6eu2ViCYTq82CAdMyTQhA7eJNnW/GuXTnlfYKgglGg==
X-Google-Smtp-Source: ACcGV618tGHo61mzpX7mhaMeatoVMMcocYJl/QNmBzcjFHbNE3apg60GKBqvfkfWM0yqbG8etX1GK2liNlhF6wgtGvU=
X-Received: by 2002:ac8:265b:: with SMTP id v27-v6mr28433757qtv.159.1539872325499;
 Thu, 18 Oct 2018 07:18:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAESVnVq-oQreEyNDQZPWJ+fxuXs_66WWBTywRii7AFEFjqxBNQ@mail.gmail.com>
 <CALKiJKrhB9pKtdF=PdBwrJB-81QLCGtr1TKF6rQ0p8XtGhFrrA@mail.gmail.com>
 <CAESVnVpXjvR2-3n6AdSA+TwzsGEEeAD0L2dH18wiDtHnwE7uHA@mail.gmail.com>
 <CALKiJKqxgFd=fQvapDrX3tJLtuEkEXk-qHwv=XrNfM5OURROHg@mail.gmail.com>
 <CAESVnVq6xDk1CmVvHNCcxyLQMmDz3CnqGBvNDJDdZYzTaVZJvQ@mail.gmail.com> <CALKiJKqcQxFYD883UvAmt=n+HvXTehDPjJcp_G1DQ2GFtRC_kw@mail.gmail.com>
In-Reply-To: <CALKiJKqcQxFYD883UvAmt=n+HvXTehDPjJcp_G1DQ2GFtRC_kw@mail.gmail.com>
Date: Thu, 18 Oct 2018 09:18:34 -0500
Message-ID: <CAESVnVq5qsKgd1CCoTyEWtD6xCdaBMoTsW8Ty=bu-_Bp1cNGng@mail.gmail.com>
To: Rowan Collins <rowan.collins@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] Password Digest Registry
From: pollita@php.net (Sara Golemon)

On Thu, Oct 18, 2018 at 9:16 AM Rowan Collins <rowan.collins@gmail.com> wrote:
> On Thu, 18 Oct 2018 at 14:55, Sara Golemon <pollita@php.net> wrote:
>> Unfortunately, I just sat down to implement it and noticed that we
>> have explicit test cases which verify that only hashes with a prefix
>> of "$2y" *and* a length of precisely 60 are identified as bcrypt.  So
>> either we need to loosen that check (I'm trying to avoid BC breaks
>> here), or we create additional identification logic.
>
> Hm... what does length != 60 currently generate - presumably it's just an "unrecognised format" error of some sort?
>
For the purposes of rehash/verify, an "unknown algorithm" is
equivalent to bcrypt as a fallback.  password_get_info() makes the
distinction, however.

> If so, we could keep BC by having a validate method in each handler, but only call it for hashes with the given prefix, and return an error if it returns false.
>
That would address this, *and* provide that more-general mechanism. +1

-Sara