[RFC][DISCUSSION] Improve hash_hkdf() parameter

Hi all,

First of all, sorry for hash_hkdf() parameter discussion mess.
I tried to described the issue clearly in the RFC. Although I've tried
not to be repetitive, there are in order to avoid unnecessary confusions.

hash_hkdf() is simple hash_hmac() extension that allows to add non secret
information(key context) to derive key(hash) from existing key. While
hash_hkdf()
is great function to implement various security features for web apps,
it has inadequate/insecure parameter order/requirement and return value
currently.

This RFC proposes function signature improvement and value returned
from the function, so that it has logical/consistent parameter order and
return value.

https://wiki.php.net/rfc/improve_hash_hkdf_parameter

It includes some useful example HKDF applications with PHP.

Since CSRF becomes one of the most serious threat in web app,
"Advanced CSRF token" example might be one of the most used
HKDF application with PHP. You may want to have a look the example
at least even if you are not interested in hash functions. I don't see
this kind of advanced CSRF token often.
https://wiki.php.net/rfc/improve_hash_hkdf_parameter#
example_4advanced_csrf_token

Please make sure to distinguish "HKDF implementation requirement
for specific application(usage)" and "General purpose HKDF function
design and best practice". I presume this was the cause of previous
discussion mess. (And my prejudice that fundamentals won't be mistaken)

If you find any wrong or unclear statement, please let me know. I'll fix
them
gladly. I appreciate any improvement suggestions. If you would like send
mail privately, I don't mind at all.

Thank you for reading long RFC.

TL;DR;
https://wiki.php.net/rfc/improve_hash_hkdf_parameter#current_status

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net