Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114114 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 33790 invoked from network); 23 Apr 2021 21:49:20 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 23 Apr 2021 21:49:20 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id D25E61804DD for ; Fri, 23 Apr 2021 14:52:42 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.4 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 23 Apr 2021 14:52:42 -0700 (PDT) Received: by mail-lf1-f44.google.com with SMTP id r128so52584745lff.4 for ; Fri, 23 Apr 2021 14:52:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hj2+Pxhv/fgMP12j2WBIThbYa748Y3Yl51c0Ln2xlVo=; b=MGUGe0aL1fQkYv1xnbz0j+ryBB88XC3qfwkttjFb/GbPymWzPJVeJWtv5j82BgME9w V+CiOQWAo6tVfK1SMCnMOXhi6OY4PWoe0u5ZF29s2zk2OcCFXHR7o0parFpL9G72sGCq oWjb1D3AIWkZba02WsCf2BPpDHPYmqCixa0VWH3JhFGxw/wjIX9QGMgyZpYaOjZFBOZK 4XIDo8zDJjBB/th0R3UNaRZvmIc1St+Qq9dNSD0sysTgD5D7atGVfoi8igMudeY3tmiZ IakYzKeu4GrbT+Izvut8zUW4dNWBner6mKXRjN2DJGrOhnK6J1twQB1wkXnQgTcswdXm hhBQ== X-Gm-Message-State: AOAM531bTW/8wJg77rrjKbIMb/EWGYYUarqElz2u0Pb5l6aw57Hj5lmx zljE3GBnJmAk5aKQcGhW1swlfOEa6PzasdaAOJfCHw== X-Google-Smtp-Source: ABdhPJxscaykmvVCjXZw7hVnj+uyYrZlTbPJ7myMoMflxNvWYEqNDe5LZR1rulHL+J4Vz3KLN4lK6sqbwk0u/zONpIY= X-Received: by 2002:a05:6512:38c9:: with SMTP id p9mr4163983lft.572.1619214760645; Fri, 23 Apr 2021 14:52:40 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Fri, 23 Apr 2021 16:52:29 -0500 Message-ID: To: Kamil Tekiela Cc: Niklas Keller , PHP internals Content-Type: multipart/alternative; boundary="0000000000009fa34605c0aad0da" Subject: Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT From: pollita@php.net (Sara Golemon) --0000000000009fa34605c0aad0da Content-Type: text/plain; charset="UTF-8" On Fri, Apr 23, 2021 at 2:56 PM Kamil Tekiela wrote: > We can also consider switching the default to Argon2id. > As Scott says the NUL byte truncation is not a bug in PHP, but a bug in > the algorithm. I don't know the exact specification but maybe we should > leave the current implementation as is? > The only way we can make argon2i(d) into the default is if it's always available. Currently, the only implementations we have are from external (non-system) libraries, and making those libraries required is essentially a non-starter. -Sara --0000000000009fa34605c0aad0da--