Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:113009 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 65209 invoked from network); 27 Jan 2021 17:39:05 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 27 Jan 2021 17:39:05 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8172F1804CF for ; Wed, 27 Jan 2021 09:20:51 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.4 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 27 Jan 2021 09:20:50 -0800 (PST) Received: by mail-lj1-f174.google.com with SMTP id a25so3032771ljn.0 for ; Wed, 27 Jan 2021 09:20:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xwCHQAiK5RM392zYDA5brmLX6SC5ZjJArwj4Qh3GtsU=; b=rE83OY7uuDslohsj3rXh8riXQyP6bt0n3so21AmZzu0/eVXGy7X6qB9E92crMQ2djP qAwi5jEW6UngJroSSH426sUYJvlRGfqvo4b6zAcuq2TaxQ8wCRKINETnRGspkoGqvchV WSpcbpX+cckroDJrcuJA0hMVU5ZRRX3YeU9rMvXiUqAT1Q2yeBisp88zLL9q8eF096rj Lyk7SzSqB4tbVPxFx6EUYlGMLyXkeycm6XbJd8tK8JeTbzCl4uAxG4y6+rbPpjwo+mcJ YsCQWsi9Mf2S3imR4dgF8RiACR5TJWvuJSEvboymP5SqrGBWTsXOVcMu78DYU8wzXvHT kx+g== X-Gm-Message-State: AOAM531+wCTvqNx2OvP3Tbbi7mZMuRMlG/23vXhzcOAK4n4s2Ci/TiW3 +CNv4cc+3/8owrPVYJu45774pEAruYyTNMI2RJDlSA== X-Google-Smtp-Source: ABdhPJygGqQ42NRluEFHM5Y2EFFm36J8X0BzWkClyXuAw7pOUP00lbT8P0HgF6NE6GrjwS7j7FZfqhAoi+yh4wqVDqI= X-Received: by 2002:a05:651c:48c:: with SMTP id s12mr6182193ljc.244.1611768048567; Wed, 27 Jan 2021 09:20:48 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Wed, 27 Jan 2021 11:20:37 -0600 Message-ID: To: Benjamin Morel Cc: PHP Internals Content-Type: multipart/alternative; boundary="000000000000fedb5d05b9e4fd3f" Subject: Re: [PHP-DEV] password_verify() and unknown algos From: pollita@php.net (Sara Golemon) --000000000000fedb5d05b9e4fd3f Content-Type: text/plain; charset="UTF-8" On Wed, Jan 27, 2021 at 10:27 AM Benjamin Morel wrote: > I just spent some time debugging an authentication issue after upgrading > PHP, and realized that it was due to ext-sodium not being installed, so > password_verify() would always return false for argon2i hashes. > > Digging a bit more, I realized that password_verify() does not complain if > the algorithm is unknown, or if the hash string is malformed: > > var_export(password_verify('passw0rd', 'any/string%as|a$hash')); // > false > > Shouldn't it throw an exception, or a least trigger a warning, when the > algorithm is unknown, or the hash is malformed? Returning false IMO, should > mean "I recognize this hash, but it doesn't match your password". "I don't > recognize this hash" is an application issue and should be reported. > > +1 Two very different error cases deserve two very different handling modes. Technically the tools exist to examine a hash and compare it against a known list of algos, but that's honestly more work that the problem should require. Matching passwords should be idiot proof. -Sara --000000000000fedb5d05b9e4fd3f--