In this RFC
https://wiki.php.net/rfc/argon2_password_hash
It looks like Argon2i is now implemented in PHP with the password_*
functions (though requires a compile flag ???)
Since the sodium extensions used the Argon2id variant by default, would
it be prudent to make sure the php password_* functions can verify 2d
and 2id variant hashes, even if it does not set them by default?
Real world scenario - WordPress plugin I am working on uses libsodium
for WordPress password management, upgrading users to Argon2id hashes as
the log in.
But if that plugin is every removed, those users with upgraded hashes
then have to do a forgotten password reset because WordPress and PHP
native functions don't know what to do with a Argon2id hash.
But if PHP knew what to do with it natively, then maybe at least
WordPress installs on a new enough version of PHP wouldn't have an issue
when this plugin is installed and then at a later date removed.
Anyway it just seems to me that if even if Argon2i is the only supported
variant for creating hashes, if the argon2 libraries are going to be
linked against, it wouldn't be a bad idea to support validating all
three of the argon2 variants.
In this RFC
https://wiki.php.net/rfc/argon2_password_hash
It looks like Argon2i is now implemented in PHP with the password_*
functions (though requires a compile flag ???)
Indeed, the password_*() API supports Argon2i is as of PHP 7.2.0, if
properly configured with –with-password-argon2[1] (which is still
undocumented[2], by the way).
Since the sodium extensions used the Argon2id variant by default, would
it be prudent to make sure the php password_* functions can verify 2d
and 2id variant hashes, even if it does not set them by default?
FWIW, there is already an RFC regarding support for Argon2id[3].
Hopefully, this will be implemented as of PHP 7.3.0.
[1] https://wiki.php.net/rfc/argon2_password_hash#configure_flag
[2] http://www.php.net/manual/en/password.installation.php
[3] https://wiki.php.net/rfc/argon2_password_hash_enhancements
--
Christoph M. Becker