Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75671
Return-Path: <adam@adamharvey.name>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 99710 invoked from network); 17 Jul 2014 17:51:07 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jul 2014 17:51:07 -0000
Authentication-Results: pb1.pair.com smtp.mail=adam@adamharvey.name; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=adam@adamharvey.name; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain adamharvey.name designates 209.85.213.173 as permitted sender)
X-PHP-List-Original-Sender: adam@adamharvey.name
X-Host-Fingerprint: 209.85.213.173 mail-ig0-f173.google.com  
Received: from [209.85.213.173] ([209.85.213.173:53623] helo=mail-ig0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F2/B1-18859-DFC08C35 for <internals@lists.php.net>; Thu, 17 Jul 2014 13:50:53 -0400
Received: by mail-ig0-f173.google.com with SMTP id h18so6635438igc.0
        for <internals@lists.php.net>; Thu, 17 Jul 2014 10:50:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=adamharvey.name; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type:content-transfer-encoding;
        bh=7nNDIm72C4YZRpdf8rc0KnjYKL0QT4LVeIphttGPibU=;
        b=DmxXx7BRZZ6YopyXjvY+mmVCbNu4+0W9uqM/ZXN0ygNxNwRud6zIaSqdv1jt5dXVIC
         onSdHZFoKojNANpoXcB7qH0mqbKQx/CpjqOtBGqpPlfhJSSU1SvrJo26cfUzmR2EWanT
         prV51wHFoxp7pQwKyMjxiPeYXkw/WZBw1BPRA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type
         :content-transfer-encoding;
        bh=7nNDIm72C4YZRpdf8rc0KnjYKL0QT4LVeIphttGPibU=;
        b=N6iEMQBi1LNqtRxkER+/4ht74fWWpUSGQUoJLvqma95/EJjn+wONaKNvlHSa3MR12C
         JquASwE99e+N+e2Y/3YXqfEbkdZhGuSRT9UHhSGoqloJyY4SQ4xVZIGV0+28hGWbMQL5
         ZWjMLAOo7aNkKDu1PRbvr0xEct3ogwszofauj+CyXIEUc+yKEWQEeJyIbfRMpq6DCRxE
         iL0ZCrbTt7F8owjyMeFfeX5IAsjICvYgZuYFUrYvA0J1+Q3tjP+Xq9+31O7GmIbZvQBl
         YEujX1hJPM5N1u71pnr7gcTUmWyjZnMoSk6Dzu7Zwt6XGC15yq1ZaooWs3kLPEKhDv47
         wmzw==
X-Gm-Message-State: ALoCoQlKIbYkjCvnBbyoWbvOcjZIwW0V+nzkcUBFd0nvDtmTm5ouqXonxr8Yxr1zEFDx0J9r7OEQ
X-Received: by 10.43.159.67 with SMTP id lx3mr36192614icc.58.1405619449712;
 Thu, 17 Jul 2014 10:50:49 -0700 (PDT)
MIME-Version: 1.0
Sender: adam@adamharvey.name
Received: by 10.42.164.1 with HTTP; Thu, 17 Jul 2014 10:50:29 -0700 (PDT)
In-Reply-To: <CAHMUw2GyQOevKfZXuyd7S-PPUnShVVeoRvZNHK3q9w1yEe1wow@mail.gmail.com>
References: <CAGa2bXYP4L-EVjqiTvrOjbiRvzQJ7zyTQyu78O1AEEkk7nwEhQ@mail.gmail.com>
 <CAESVnVqBxo0VCYM_4V4_KzrD1+-F-0ipumrr_a=mAwaYje10Og@mail.gmail.com>
 <CAGa2bXa48gEEcE_DWE27B3UHD0Yi12bFVZsx-9t_anHunkj5Dg@mail.gmail.com>
 <CAHMUw2FLW06ABT=1RoH2gMuM7HbGDdSnLzxqfv8wNVp0rzfw+Q@mail.gmail.com>
 <CAGa2bXZF5sznggoYRFTtngO32b60NVG=6KqUBDB3guGb7_8oMA@mail.gmail.com> <CAHMUw2GyQOevKfZXuyd7S-PPUnShVVeoRvZNHK3q9w1yEe1wow@mail.gmail.com>
Date: Thu, 17 Jul 2014 10:50:29 -0700
X-Google-Sender-Auth: Iqhc8lHdE8k_VyA1VofIsBPHAVo
Message-ID: <CADajX4C9sip=57QGaacZVq9cmAFhH6CJWpvSSjB7c921TGsJMQ@mail.gmail.com>
To: Tjerk Meesters <tjerk.meesters@gmail.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, Sara Golemon <pollita@php.net>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] crypt() BC issue
From: aharvey@php.net (Adam Harvey)

On 16 July 2014 23:16, Tjerk Meesters <tjerk.meesters@gmail.com> wrote:
> On Thu, Jul 17, 2014 at 10:25 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote=
:
>
>> Hi Tjerk,
>>
>> On Thu, Jul 17, 2014 at 11:09 AM, Tjerk Meesters <tjerk.meesters@gmail.c=
om
>> > wrote:
>>
>>> Why should `password_verify()` work on a hash that wasn't generated wit=
h
>>> `password_hash()`? The fact that it uses `crypt()` internally should no=
t
>>> leak outside of its API, imho.
>>
>>
>> password_*() is designed as crypt() wrapper and this fact is documented
>> since it was released.
>>
>> Obsolete password hash is easy to verify with password_needs_rehash().
>> Developers can check password database easily with password_needs_rehash=
().
>>
>
> The documentation states that the `hash` argument to both
> `password_needs_rehash()` and `password_verify()` is:
>
>     hash - A hash created by password_hash().

Whoa. Don't put too much stock in that =E2=80=94 I think I made that up out=
 of
whole cloth while trying to get _something_ into the manual for one of
the early alpha releases of 5.5, and it wasn't intended as a
restrictive statement.

> Passing a value from your own crypt() implementation may work, but that
> shouldn't be relied upon. I certainly wouldn't classify it as a problem
> that should be fixed in the password api.

The original RFC specified that both crypt() and password_hash()
hashes were accepted here, and that's probably what the documentation
should say too.

Adam