Hi,
Using "crypt" function is a mess
(perhaps one of the reason for password_hash)
This proposal provides more bindings:
- crypt_gensalt($salt, $count)
- crypt_preferred_method()
- crypt_checksalt($salt)
And more Algo
- scrypt
- yescrypt
- gost-yescrypt
These were already usable but very hard to use without a salt.
Small breaking change
CRYPT_* constants are now string with algo prefix
See https://github.com/php/php-src/pull/15870
A single test for now, showing usage and checking
compatibility with password_hash
Open for discussion
Remi
This proposal provides more bindings:
- crypt_gensalt($salt, $count)
- crypt_preferred_method()
- crypt_checksalt($salt)
And more Algo
- scrypt
- yescrypt
- gost-yescrypt
Assuming the intended use case is compatibility with /etc/shadow or
something similar, would it not make sense to add these algos to
password_hash function, and not add new functions?
I'm probably missing some valid use cases for having separate
functions to have separate functions for gen/check salt, so please
disregard this comment if that's the case :)
Le 13/09/2024 à 09:57, Ayesh Karunaratne a écrit :
Assuming the intended use case is compatibility with
/etc/shadowor
something similar, would it not make sense to add these algos to
password_hashfunction, and not add new functions?
Yes this another goal (later)
For now, these are provided in the xpass extension.
Main issue is Windows.
=> https://pecl.php.net/package/xpass
Remi
For now, these are provided in the xpass extension.
Main issue is Windows.
Yeah, it might be an issue to port this library to Windows. There is a
vcpkg port[1], but only for Linux. I haven't had a closer look why;
maybe it's just because libxcrypt uses autotools, maybe it's because
they're using functionality not readily available on Windows.
However, Windows support might not be that important anyway, because
we're unlikely to ship the official builds with that library, since at
least so far the stance was, that users should be able to run a minimal
PHP build (core + mandatory extensions) without any external
dependencies. Cf. ext/pcre, where Windows always uses the bundled
libpcre2 (and there is still no (official) separate build of libpcre2).
Anyhow, I had a glimpse at our own bundled crypt implementation, and it
seems we have implementations of a couple of hashing algos there (e.g.
crypt_sha256.c), what might not be the best idea given we also have
implementations in ext/hash. We should consider to unify that (PHP next).
Christoph
Le 13/09/2024 à 12:33, Christoph M. Becker a écrit :
However, Windows support might not be that important anyway,
So for now, my plans are:
- Maintain the xpass extension for PHP 8.x
New version 1.1.0 have the additional functions/macros
-
Wait for user feedback/comments
-
Open a RFC (after 8.4.0 GA, for PHP 9)
to merge the ext in php-src
if feedback is good.
Remi