Hi Nikita, OK I understand you are with Andrey.
On Sun, Feb 5, 2017 at 7:21 AM, Nikita Popov <nikita....@gmail.com> wrote: > Suggesting to drop the length parameter from HKDF... Okay, that's where I > draw the line. I've had enough of this farce. I've configured gmail to > blackhole your mails and recommend anyone who values their peace of mind to > do the same. Additionally, be strongly advised to land any changes to > php-src through the PR process, as unreviewed commits are likely to be > reverted indiscriminately. Excuse me to repeat. The internet RFC emphasizes on improved security by whatever "salt" values are. Your wrong usage example with plain passwords even make the value of "salt" clearer. Therefore, this signature does not make sense at all to me. string hash_hkdf(string algo, string ikm [, int length = 0 [, string info = '' [, string salt = '']]]) but string hash_hkdf(string algo, string ikm, string salt [, string info = '' [, int length = 0]]) - Set salt to NULL if salt cannot be used, reject null string as invalid. IMO, length parameter can even removed. It could be large enough buffer size or optimal buffer size could be computed in the function, if it matters. Anyway, why you insist and recommend vulnerable usage so much? You missed the most important answer. Is info is important parameter than salt? Makes none of sense. Please show us single reason why string hash_hkdf(string algo, string ikm [, int length = 0 [, string info = '' [, string salt = '']]]) is a lot better than string hash_hkdf(string algo, string ikm, string salt [, string info = '' [, int length = 0]]) - Set salt to NULL if salt cannot be used, reject null string as invalid. This is very important for average PHP to develop PHP apps more secure way. IMHO. Otherwise, I don't insist this much. Other discussions that I insisted before have good reasons to do, yet I didn't get any logical nor reasonable explanation. Please show me good one for this at least. Why you insist and recommend vulnerable usage so much? Thanks, -- Yasuo Ohgaki yohg...@ohgaki.net
