Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114101 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 1235 invoked from network); 22 Apr 2021 14:06:28 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 22 Apr 2021 14:06:28 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 32BAB1804C6 for ; Thu, 22 Apr 2021 07:09:31 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.4 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 22 Apr 2021 07:09:30 -0700 (PDT) Received: by mail-lf1-f53.google.com with SMTP id x20so42077785lfu.6 for ; Thu, 22 Apr 2021 07:09:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gZmafiJOAG9YehJDuLBepEuCqP0BOnmaFhl6gHJz6X8=; b=aIiUYmVg4UwqWc1oUH3Hjzt2jMEMRFlWfSjClzi9Kk/XPKF56+0uSjmvItoqwbNzQa 5H2KGm93YBVdNpJqJ2j45cxUlRdwmUI8Yms/sacLKy9QDgyNJBm2XJ6K86X6o2CLnIv1 bc4KOPMJKlbEHejPLfEjAKV39eixRb/d2p+sV1DLvKN4iOf6cupaqtnVaE/DlevMjWte PYiWHIe+wd/duUGwMHNzHeb2WjdSDq5kczIOFlkWko+2rR0TX4Fgaqv7EK4VBGyFA3EY fVtRS3NtZJrWS54UCKtyLyMuYdQq5/fFj3+XDNuAOvymP0TtjeskELRquyX3+i+NL0Pe x4WQ== X-Gm-Message-State: AOAM533KigS9iXHFJbjQ9+qXNcJECSt0EDsde+W5QiK7tSbhIGM0BFAm 0E1uFT3Z6D9q99KfLBsq5jp85ZdhgwolV414+vWRbw== X-Google-Smtp-Source: ABdhPJyWawGB6UKYFwaxB+OV2xNOoHMaWDwGbAkOlUdUr16Hsr9hos/6IULkRBy286YoWKWsEMWaqclHH6NJ0GKGeVA= X-Received: by 2002:a05:6512:38c9:: with SMTP id p9mr2659747lft.572.1619100567962; Thu, 22 Apr 2021 07:09:27 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 22 Apr 2021 09:09:17 -0500 Message-ID: To: Claude Pache Cc: PHP internals Content-Type: multipart/alternative; boundary="00000000000035981405c0903afb" Subject: Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT From: pollita@php.net (Sara Golemon) --00000000000035981405c0903afb Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Apr 22, 2021 at 3:20 AM Claude Pache wrote= : > Also, the warning message you introduced contains =E2=80=9C... this hash = should be regenerated using ...=E2=80=9D. > There is already a dedicated function for conveying that information in a coder-friendly way, > namely `password_needs_rehash()`: let=E2=80=99s use that (it implies that= the default algorithm should be changed). > Negative. There's no way for password_needs_rehash() to know that the original password contained a null byte. 1/ Because the original password isn't sent to password_needs_rehash, only the generated hash 2/ Because even if you could derive what password was used to generate the hash, there's no way to tell if it was "foo" or "foo\0bar", they would both generate the same hash (given the same salt) -Sara --00000000000035981405c0903afb--