Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:113015 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 56982 invoked from network); 28 Jan 2021 17:00:37 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 28 Jan 2021 17:00:37 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C7E171804D1 for ; Thu, 28 Jan 2021 08:42:37 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 28 Jan 2021 08:42:34 -0800 (PST) Received: by mail-lj1-f174.google.com with SMTP id r14so7123936ljc.2 for ; Thu, 28 Jan 2021 08:42:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JWpiPOA5BZoWDyqLyzMb1Z7enb6lDbm728Aj6DaqxsI=; b=NUvRQM5h9N2+riqG+jX4QYhJ20GNWNkcVv8VhBmHj4e7VpuJesOORfK0+Ps+sQP/rc nMvJhfFcFG/ddM4HyAd+Gj2cLpD0/3crASQwZBOT3xnL4FsEAaTKS2VhY3CgpxoDXVyx eQEIkUv7Ey+fLL7vIeCN6o3ei2vz2E0MwtUdJSztENPZV3tiXgvESKcUm+l9Yq4spzqB W06YRqXl8RZgyPRqPqWdvVkJEusSgekdDHEySe1qelOq9i9LErRIP5xo+/UTZZAdIZzG NFfBkP1erKXplxj2aZlJGndwnyjHcq1ts76m5uOUxtrWmzug0UgimcZ+XixxiCUEB+/Y soXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JWpiPOA5BZoWDyqLyzMb1Z7enb6lDbm728Aj6DaqxsI=; b=oaqESHHegzdCN0s6C/CAGHixXEaG5xUxHnNKfYHYsdkyIL3ikVoKKn+kCAUBrCqm+n YEOjJIFXezburcnS3ymdvOz1+zcoyKHxjr8rYDNhyqmmXfvYQgQzwxRWnPQcuOLQeGDo jUMQkoRjZpaOggIwQYJbLfV1OoqupGVNuF/qP2OvZdvEOyzlEqqIUf59YUfLLB/xMNjn 8qEYBF4cECff9SJqjsNRL14sI0n0ufMBiZIFFwcnQxJkvxTu9tbDZ1bSA2jFJMqiC/d9 N9I2UHHmgLJp7R+Tc4Hu2sClqXS3TwmjGvUyOc71u8OzKI9+q1gfjgZGNVE+HL0yNS7W +I7Q== X-Gm-Message-State: AOAM530GaDjMIjvLC9Tye8phg+m8VYBYVTnKT5r+wI9NCYeuAh8plIIh nG7fG+8ZkEN5RDcPen1P710Mi5X3Sx9C4yLxI3o= X-Google-Smtp-Source: ABdhPJxIntsROeynsZ20xt39jKLzQ3JWlDIusjCeZZ4gaku63CzMOZINjimrG+cZNgtwEBRzyD7uto+jvT74St26b9I= X-Received: by 2002:a2e:390d:: with SMTP id g13mr51792lja.23.1611852151662; Thu, 28 Jan 2021 08:42:31 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 28 Jan 2021 11:42:20 -0500 Message-ID: To: Benjamin Morel Cc: PHP Internals Content-Type: multipart/alternative; boundary="000000000000ee2c3605b9f892f1" Subject: Re: [PHP-DEV] password_verify() and unknown algos From: ircmaxell@gmail.com (Anthony Ferrara) --000000000000ee2c3605b9f892f1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Jan 27, 2021 at 11:27 AM Benjamin Morel wrote: > Hi internals, > > I just spent some time debugging an authentication issue after upgrading > PHP, and realized that it was due to ext-sodium not being installed, so > password_verify() would always return false for argon2i hashes. > > Digging a bit more, I realized that password_verify() does not complain i= f > the algorithm is unknown, or if the hash string is malformed: > > var_export(password_verify('passw0rd', 'any/string%as|a$hash')); // > false > > Shouldn't it throw an exception, or a least trigger a warning, when the > algorithm is unknown, or the hash is malformed? Returning false IMO, shou= ld > mean "I recognize this hash, but it doesn't match your password". "I don'= t > recognize this hash" is an application issue and should be reported. > > What do you think? > > Hey all, I just wanted to drop in and make a note here. When I designed password_verify, the lack of validation/errors on invalid hases was 100% explicit and intentional. The primary reason is to support multiple validation strategies in order to allow for migration paths between different storage mechanisms. Take an example where someone used to use Wordpress's custom phpass based $P$ system. They now want to migrate to bcrypt/argon/etc. If password_verify threw errors the validation system would need to introspect each hash to determine how to validate it (note, this happens in password_verify and the other validators already). But without errors, it becomes a simple fallthrough: function validate($password, $hash) { if (password_verify($password, $hash)) return true; if (legacy_verify($password, $hash) || other_legacy_verify($password, $hash)) { update_password_hash($password); return true; } return false; } There are definitely a fair number of applications that use the above method to ensure backwards compatibility and a solid upgrade path, and as such I would be resistant to adding warnings/errors/exceptions here. The case for "it's an application issue" is definitely valid, though that's also what password_info was added to provide (it is easy to introspect). One other point I'd make is to normally suggest not disclosing any information about cryptographic material via error handling mechanisms (it's too easy to expose to attackers). This is one of those dev-x/security tradeoffs. Does not throwing a warning improve security? Not in most cases. But can throwing a warning make an attackers job easier (or at least point them in the right direction)? Perhaps. My $0.02 at least Anthony =E2=80=94 Benjamin > --000000000000ee2c3605b9f892f1--