Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75665 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67905 invoked from network); 17 Jul 2014 10:32:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jul 2014 10:32:38 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.177 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.177 mail-lb0-f177.google.com Received: from [209.85.217.177] ([209.85.217.177:51418] helo=mail-lb0-f177.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F3/50-00245-446A7C35 for ; Thu, 17 Jul 2014 06:32:37 -0400 Received: by mail-lb0-f177.google.com with SMTP id s7so1525586lbd.8 for ; Thu, 17 Jul 2014 03:32:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=kUYl3cIdjfzADvbKSxMNx8JkrO/SJv4psjjZYz282u0=; b=IhTvt4DAL4ATEjwgXt5SWe6Rzw+6aMIXIxpTe0K49ZjWvfzxFiymwpQt7O9IO5LMpf kCebMk7Soc0JtjdBAKS8hyo1lQ8DneydSAsgY9LgmYCRJ2WARiF0gryNKLf96AVjauYG fiUhJ0vfUKDfJIpYDG8aIcTGzNPco41X5tpFg2yjAWTIRaMXFHoORucxtTsBg1+SmNdb CT0gt/d/mpItW7dPbjPaUD7RXjIDu9eNKdpRGvuEpyMXVSEpFrEayXYrcdtSVffBQ3HO RmWfFzBR/Bz+U1CWg7muRxZ103/fiO+DrZFs8hVUO73Ug1mu77wJ7JOYcS9Ef5at8GL5 BBug== X-Received: by 10.152.115.229 with SMTP id jr5mr2368818lab.94.1405593153394; Thu, 17 Jul 2014 03:32:33 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.128.202 with HTTP; Thu, 17 Jul 2014 03:31:53 -0700 (PDT) In-Reply-To: References: Date: Thu, 17 Jul 2014 19:31:53 +0900 X-Google-Sender-Auth: h605ufwTHLZMKIVjJBpbJrMi_eM Message-ID: To: Tjerk Meesters Cc: Sara Golemon , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c354589b5d8904fe6128a9 Subject: Re: [PHP-DEV] crypt() BC issue From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c354589b5d8904fe6128a9 Content-Type: text/plain; charset=UTF-8 Hi Tjerk, On Thu, Jul 17, 2014 at 3:16 PM, Tjerk Meesters wrote: > On Thu, Jul 17, 2014 at 10:25 AM, Yasuo Ohgaki wrote: > >> Hi Tjerk, >> >> On Thu, Jul 17, 2014 at 11:09 AM, Tjerk Meesters < >> tjerk.meesters@gmail.com> wrote: >> >>> Why should `password_verify()` work on a hash that wasn't generated with >>> `password_hash()`? The fact that it uses `crypt()` internally should not >>> leak outside of its API, imho. >> >> >> password_*() is designed as crypt() wrapper and this fact is documented >> since it was released. >> >> Obsolete password hash is easy to verify with password_needs_rehash(). >> Developers can check password database easily with >> password_needs_rehash(). >> > > The documentation states that the `hash` argument to both > `password_needs_rehash()` and `password_verify()` is: > > hash - A hash created by password_hash(). > > Passing a value from your own crypt() implementation may work, but that > shouldn't be relied upon. I certainly wouldn't classify it as a problem > that should be fixed in the password api > It's easier to change crypt() behavior, since password_*() is crypt() wrapper. Are we going to relax the crypt() restriction permanently? It's ok for me. Users are better to use password_*() anyway. We must remove 72 bytes restriction in password_*() ASAP, though. i.e. blowfish truncates password longer than 72 bytes. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c354589b5d8904fe6128a9--