Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:113007 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 59569 invoked from network); 27 Jan 2021 16:45:21 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 27 Jan 2021 16:45:21 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 434E8180504 for ; Wed, 27 Jan 2021 08:27:06 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com [209.85.167.173]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 27 Jan 2021 08:27:05 -0800 (PST) Received: by mail-oi1-f173.google.com with SMTP id j25so2773088oii.0 for ; Wed, 27 Jan 2021 08:27:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=2N58RHXeOoyYVAqYLoU2wyY8J+q2QB9qlm6e2goHKhQ=; b=nC1Amn9QEachx9ohuog4fuKWmiYS7tZqSmjIfzm36geZB67ksZFjwJFbjExc0UCxNM 9ISFn1ZjFZljZJK2HhruF+/3PmdZqU4qhAalQ4Tydt4aBdrU5oLSFmDTgzKWmT5hVGr0 sHXdBcXYT0xeddmKl1RAPN1ETDiLE4jniWclkZf7GMLThX5yeZfXCEzVnLpoO2zST+3c HxBU6yTwrJagWM45IdtoLPm6WUHy+1HrNTyIpBf4vwTv4TetcgfgEy7A57kO6OIEt2GA gJQSct8jtzjj4xb7jaAiGt7JPUNryaHp+DRPFH76hsM2Ffx9r+lJ9Lsra6BNwwMWf1GT 2r6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=2N58RHXeOoyYVAqYLoU2wyY8J+q2QB9qlm6e2goHKhQ=; b=LnGBEAhU5mDm2Z2DMTyAqG/uF+FDy5r3SQ5RozScRIg8/B3vCjEV+8F73BL7sxuuSL 9S3x4e+pT97IVpGZf6rrDbvmHQyU8fDGDF/eYczjLXQKE5BmrbLsmarPgaxaT/197n3n WJJDwV+bEygzpH6w2Q/Al55NgCc0VlJFOBh/s52Zu83YzjnWBZGgi73zWwTlpHbeYb6b hz1Xn3kpB5+VCB0DcGaUqqkcWIBcxv5xvO/uNus7ckuPS9BENGEY1083eBPb6w7ZP1Kb bqBWgn2jNTn1GvSK7XE12CWmw7Zh2kOHRNOkM96DRMKAnt/sdCL+YkgZWVh3C2+BoAbP 8rFg== X-Gm-Message-State: AOAM533r18p0aeAAio1jCOzAm6SwKl+8ADsJX6tv+tfDQDfa9qCQlT5F Dy/BKpmtqJcUlcybTQu4OoUx8LsqJSm+eZyif858HibsFG2Ptw== X-Google-Smtp-Source: ABdhPJzCe4FYkgdHawwbeETnqoA7jUm0XqVmIB2CbxvuzvQp0yl9SKlyTaZdgn2DU7z7b4DOJYkr0ncqp36ysblI9q0= X-Received: by 2002:aca:d946:: with SMTP id q67mr3578850oig.134.1611764821824; Wed, 27 Jan 2021 08:27:01 -0800 (PST) MIME-Version: 1.0 Date: Wed, 27 Jan 2021 17:26:50 +0100 Message-ID: To: PHP Internals Content-Type: multipart/alternative; boundary="000000000000aa9aba05b9e43d13" Subject: password_verify() and unknown algos From: benjamin.morel@gmail.com (Benjamin Morel) --000000000000aa9aba05b9e43d13 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi internals, I just spent some time debugging an authentication issue after upgrading PHP, and realized that it was due to ext-sodium not being installed, so password_verify() would always return false for argon2i hashes. Digging a bit more, I realized that password_verify() does not complain if the algorithm is unknown, or if the hash string is malformed: var_export(password_verify('passw0rd', 'any/string%as|a$hash')); // false Shouldn't it throw an exception, or a least trigger a warning, when the algorithm is unknown, or the hash is malformed? Returning false IMO, should mean "I recognize this hash, but it doesn't match your password". "I don't recognize this hash" is an application issue and should be reported. What do you think? =E2=80=94 Benjamin --000000000000aa9aba05b9e43d13--