[RFC][DISCUSSION] Argon2id in Password Hash

Hello Internals,

I would like to propose adding Argon2id to the password_* functions in PHP 7.3.

An RFC1 has been prepared which covers implementation details, and some common questions & concerns that I have anticipated. This RFC also includes a tested and working implementation2 to illustrate changes to PHP itself.

The biggest question at this time is how we want to handle versioning of the Argon2 reference library. The RFC covers this issue in detail and provides a solution that ensures no BC breakage for existing users.

I look forward to hearing your feedback. Thanks.

1 https://wiki.php.net/rfc/argon2_password_hash_enhancements
2: https://github.com/php/php-src/compare/master...charlesportwoodii:argon2_password_hash_enhancements?expand=1

---

Charles R. Portwood II

Hello Internals,

I would like to follow up on the RFC to add Argon2id to the password_* functions in PHP 7.3. The discussion itself1 didn’t seem to gather much attention since it was posted in February, however there has been some discussions2 in a separate thread inquiring about the status of Argon2 in PHP in general.

I’ve updated the RFC3 based upon discussions I’ve had with individuals outside of the mailing list. With this update the RFC now recommends forcing an libargon2 version >= 20161029 during configure for the --with-password-argon2 flag, providing password_* with support for both Argon2i and Argon2id.

I would like to target PHP 7.3 with this RFC. Since there haven’t been any major discussion points raised since the RFC is introduced back in February, I would like to offer another an opportunity for additional discussion before I submit this RFC for a vote in the next few weeks.

I look forward to hearing your feedback! Thanks.

Charles R. Portwood II