Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:98635 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 80722 invoked from network); 25 Mar 2017 13:16:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Mar 2017 13:16:09 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.220 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.220 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.220] ([81.169.146.220:21804] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6F/8F-40046-79D66D85 for ; Sat, 25 Mar 2017 08:16:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1490447763; l=4796; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=6qK+WehBujE53e38A/sPVVXFnOVzoGrChY44LIs7Lmw=; b=MlQYJkWHJwbYRtDZGttzxLJ3JPal6EQNwlH0PUA/RdQ6xygajGVGK4p0tWPGSCF1HF LCAPen2oPwBOL2SpFHGgHMClEKRCWvHScMnPBG73xJXHfGRUzTCjrDpA1RwWmb5iJsfQ 42X028HbYq+cKJJDz7mhrzrLYgV9+CTlBEky0= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNJBqD/t9k= X-RZG-CLASS-ID: mo00 Received: by mail-qt0-f177.google.com with SMTP id x35so9911087qtc.2 for ; Sat, 25 Mar 2017 06:16:03 -0700 (PDT) X-Gm-Message-State: AFeK/H3MmM7+GimamzOrv33yEvAdPpGK8Usjeqc2uKSPu7OIwf1NT05EewbzqjHW3f8Rq+tuS1lP6jzW+zcmaQ== X-Received: by 10.200.57.1 with SMTP id s1mr12362469qtb.236.1490447762670; Sat, 25 Mar 2017 06:16:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.144.167 with HTTP; Sat, 25 Mar 2017 06:16:02 -0700 (PDT) In-Reply-To: References: Date: Sat, 25 Mar 2017 14:16:02 +0100 X-Gmail-Original-Message-ID: Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" , Andrey Andreev Content-Type: multipart/alternative; boundary=001a113a6e3473e2df054b8de955 Subject: Re: [PHP-DEV] [RFC] [VOTE] Improve hash_hkdf() parameter From: me@kelunik.com (Niklas Keller) --001a113a6e3473e2df054b8de955 Content-Type: text/plain; charset=UTF-8 https://wiki.php.net/rfc/improve_hash_hkdf_parameter#backward_incompatible_changes says "It is merged into PHP 7.1.2.", but doesn't talk about what it's supposed to say: It breaks BC with the already released implementation. https://wiki.php.net/rfc/improve_hash_hkdf_parameter#rfc_impact says "None.", while it's clearly a BC break. https://wiki.php.net/rfc/improve_hash_hkdf_parameter#unaffected_php_functionality says "Nothing is affected. hash_hkdf() is new function does not affect any.", but hash_hkdf has been released with PHP 7.1.2 and therefore is no longer a new (unreleased) function. The BC break and those misleading / wrong paragraphs are enough to vote against. Regards, Niklas 2017-03-25 3:25 GMT+01:00 Yasuo Ohgaki : > Hi all, > > Since hash_hkdf() is in PHP 7.1.2, I start vote from today. > > Current hash_hkdf() function signature does not make sense. > > - hash_hkdf() is simple hash_hmac() extension, yet it has totally > different signature. > - Return value is binary unlike other hash functions. > - The signature is insecure. > > https://wiki.php.net/rfc/improve_hash_hkdf_parameter > > Current signature is overly optimized very limited crypto operation > and cannot be optimal by above reasons. > > Fortunately, almost all users are not using current hash_hkdf(). > It's only from 7.1.2 to 7.1.4 now. We should avoid yet another > new inconsistent and insecure function. It would be better to be > fixed ASAP, IMHO. > > Vote start: 2017-03-25 > Vote end: 2017-04-06 UTC 23:59:59 > > Thank you for voting. > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > --001a113a6e3473e2df054b8de955--