Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:113021
Return-Path: <jr@rushlow.dev>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39366 invoked from network); 29 Jan 2021 15:03:10 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 29 Jan 2021 15:03:10 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 514851804A7
	for <internals@lists.php.net>; Fri, 29 Jan 2021 06:45:23 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <jr@rushlow.dev>
Received: from mail-oo1-f48.google.com (mail-oo1-f48.google.com [209.85.161.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 29 Jan 2021 06:45:21 -0800 (PST)
Received: by mail-oo1-f48.google.com with SMTP id z36so2360735ooi.6
        for <internals@lists.php.net>; Fri, 29 Jan 2021 06:45:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rushlow.dev; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=2r9svsICZVa0zzuoL/yjTcBURtkmg4Zfma2sSvdJUOQ=;
        b=UNqQ+WnMuhPT3qr3IcEkDG96a3C6eLe3+hvgKYKlY0ftsmtNlB238alCI36q5Ego+a
         QRoM2WwgCRNiHvmD4y5xJZLcBQBeqikKeruuQaOY1BNIlCSl148K8wgVgV7KIclaRVUy
         th5IKk7qhmKrbOG4iqIxv2t0zM5vbQJt8ghKmE+y+Hb2YXLdPvmK/vNTZ4Dd2/NM6A0A
         xwrp+5sfxJY2WCVeOKr5hB14TVEWBdlNZehUjbkaoJAOpJgzJ0YPz22HMzRjFvmmLSOA
         hQzZPumCvuaiu6uD88mWFdtVbE8UznqlW2T1BCX2gQY1EXu5dkvq/kDQ/ZpK9l/Kf3yI
         BEvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=2r9svsICZVa0zzuoL/yjTcBURtkmg4Zfma2sSvdJUOQ=;
        b=nMaGUgETGxAhpdKLL4skjUuqAQYktCo32vF6Hub5kdF7tN+FMdGI8xFV+cxYJ0QA1v
         QBcJ6CZpIm52FXZr8WIErhptpGDt/nqOwB8beFygfTYE5y3cLocPBzQayYubRuXgA3Sk
         RmVZfqKGXOskDs3EI9SA2nTAQcdTsBx1610dLmtHpzpEbbM95R0ji/1cmKuYCO2T90lu
         Gh/OWYon+aEshwT9SUSYtVbj27VUS7sNaYrlwFC4q7qHOLGS8xWwVim53yAFtON8ATCm
         4ccAljS7IGh0cx5bY4WR+fejUvAKUDv6C7NnTne8NIcy/KbrSMDa0mDnSntdUOgvTuxz
         S4pQ==
X-Gm-Message-State: AOAM532950kAP9Kos0j4IqVaHhh1kHKg9lqrqiIZi3S9PLvZXvT82VAO
	avwhWk0e1dwFaLNhyu9wBjW8isjfxnL3JOxxMnzX71uL7uTtiRcY
X-Google-Smtp-Source: ABdhPJz+Kp+GfVtbUjes2A8Vd7X9R+qQ8rNepTlKdcEHSAQJ5kcT4P5IV5GTGmdeDiUknXxnBWfu1btUEYzA/5nnQlk=
X-Received: by 2002:a4a:9092:: with SMTP id j18mr3258222oog.19.1611931519426;
 Fri, 29 Jan 2021 06:45:19 -0800 (PST)
MIME-Version: 1.0
References: <CAG9XoMQQLEWQABqy+cMzCcs_EeST5AQT2XxDwuK7EXDgVSQb0A@mail.gmail.com>
 <CAAyV7nGdUB7oNdjGdKSBEtZHOyoKnfgJNp8TXzV7fCFV0KsgQA@mail.gmail.com>
In-Reply-To: <CAAyV7nGdUB7oNdjGdKSBEtZHOyoKnfgJNp8TXzV7fCFV0KsgQA@mail.gmail.com>
Date: Fri, 29 Jan 2021 09:45:08 -0500
Message-ID: <CAES=RMvWUkiRS89V4v0_TEmtq7HD0XLXb+xfOoyOQKYL2r8U2g@mail.gmail.com>
To: PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000009e30af05ba0b0d58"
Subject: Re: [PHP-DEV] password_verify() and unknown algos
From: jr@rushlow.dev (Jesse Rushlow)

--0000000000009e30af05ba0b0d58
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

>
> There are definitely a fair number of applications that use the above
> method to ensure backwards compatibility and a solid upgrade path, and as
> such I would be resistant to adding warnings/errors/exceptions here.
>

I think Anthony makes a valid point, to preserve BC adding errors /
exceptions may not be the best approach by default. However having a third
param to password_verify(), that is false by default, that would allow for
an exception to be thrown in the event of an unknown algo / bad hash might
be a better path forward and would be totally beneficial in my opinion.

Thanks
Jesse Rushlow

On Thu, Jan 28, 2021 at 11:42 AM Anthony Ferrara <ircmaxell@gmail.com>
wrote:

> On Wed, Jan 27, 2021 at 11:27 AM Benjamin Morel <benjamin.morel@gmail.com=
>
> wrote:
>
> > Hi internals,
> >
> > I just spent some time debugging an authentication issue after upgradin=
g
> > PHP, and realized that it was due to ext-sodium not being installed, so
> > password_verify() would always return false for argon2i hashes.
> >
> > Digging a bit more, I realized that password_verify() does not complain
> if
> > the algorithm is unknown, or if the hash string is malformed:
> >
> >     var_export(password_verify('passw0rd', 'any/string%as|a$hash')); //
> > false
> >
> > Shouldn't it throw an exception, or a least trigger a warning, when the
> > algorithm is unknown, or the hash is malformed? Returning false IMO,
> should
> > mean "I recognize this hash, but it doesn't match your password". "I
> don't
> > recognize this hash" is an application issue and should be reported.
> >
> > What do you think?
> >
> >
> Hey all,
>
> I just wanted to drop in and make a note here. When I designed
> password_verify, the lack of validation/errors on invalid hases was 100%
> explicit and intentional. The primary reason is to support multiple
> validation strategies in order to allow for migration paths between
> different storage mechanisms.
>
> Take an example where someone used to use Wordpress's custom phpass based
> $P$ system. They now want to migrate to bcrypt/argon/etc. If
> password_verify threw errors the validation system would need to introspe=
ct
> each hash to determine how to validate it (note, this happens in
> password_verify and the other validators already). But without errors, it
> becomes a simple fallthrough:
>
> function validate($password, $hash) {
>     if (password_verify($password, $hash)) return true;
>     if (legacy_verify($password, $hash) || other_legacy_verify($password,
> $hash)) {
>         update_password_hash($password);
>         return true;
>     }
>     return false;
> }
>
> There are definitely a fair number of applications that use the above
> method to ensure backwards compatibility and a solid upgrade path, and as
> such I would be resistant to adding warnings/errors/exceptions here.
>
> The case for "it's an application issue" is definitely valid, though that=
's
> also what password_info was added to provide (it is easy to introspect).
>
> One other point I'd make is to normally suggest not disclosing any
> information about cryptographic material via error handling mechanisms
> (it's too easy to expose to attackers). This is one of those dev-x/securi=
ty
> tradeoffs. Does not throwing a warning improve security? Not in most case=
s.
> But can throwing a warning make an attackers job easier (or at least poin=
t
> them in the right direction)? Perhaps.
>
> My $0.02 at least
>
> Anthony
>
> =E2=80=94 Benjamin
> >
>

--0000000000009e30af05ba0b0d58--