Re: [PHP-DEV] Password Digest Registry

Tue, 16 Oct 2018 06:43:46 -0700 

On Tue, 16 Oct 2018 at 13:48, Sara Golemon <poll...@php.net> wrote:

> I don't consider the current internal API proposal fixed,
> particularly, I'm not too keen on the algorithm identification.  What
> I've presented is a callback for a mechanism to say "Yes, I can verify
> that signature", but this means we must ask all mechanisms.  A more
> direct means might involve "search for /^\$mechanismName\$/, but not
> only is this already insuffcient for bcrypt (identified by $2y$), but
> it'll probably be worse later on.  If anyone has better ideas here,
> I'm totes open.



As I understand it, the purpose of the $foo$ syntax is to uniquely identify
each algorithm, so would it make sense to pass the prefix string to the
register call, and maintain a lookup table internally of prefix => handler?

 struct php_password_algo {
    const char* name; // Symbolic name of the algorithm, e.g. "argon2id"
    const char* prefix; // Prefix used for hashes in this algorithm, e.g. "2y"
    zend_string* (*hash)(const zend_string* password, zend_array* options);
    zend_bool (*verify)(const zend_string* password, const zend_string* hash);
    zend_bool (*needs_rehash)(const zend_string* hash, zend_array *options);
    int (*get_info)(zval *return_value, const zend_string* hash);
}


If an extension wants to reuse an implementation for more than one prefix
(e.g. minor variations in algorithm) it can just register multiple
"handlers" which happen to have the same function pointers; and if multiple
extensions try to register for the same prefix, the error can be detected
immediately at startup.

Determining the algorithm would then involve extracting the prefix from the
hash and looking it up in the registry.

You mention ext/sodium checking if ext/standard has already registered some
or all of its algorithms, but don't specify a method to do so; if the
registry was prefix-oriented, there could be a standard API such as:

PHPAPI const php_password_algo* php_password_algo_for_prefix(const
char* prefix);

Or simply:

PHPAPI zend_bool php_password_algo_is_registered(const char* prefix);


Regards,
-- 
Rowan Collins
[IMSoP]

Reply via email to