On Tue, Oct 16, 2018 at 11:54 AM Rowan Collins <rowan.coll...@gmail.com> wrote:
> On Tue, 16 Oct 2018 at 16:35, Sara Golemon <poll...@php.net> wrote:
>> On Tue, Oct 16, 2018 at 8:43 AM Rowan Collins <rowan.coll...@gmail.com>
>> wrote:
>> > As I understand it, the purpose of the $foo$ syntax is to uniquely identify
>> > each algorithm, so would it make sense to pass the prefix string to the
>> > register call, and maintain a lookup table internally of prefix => handler?
>> >
>> If that's an assumption we can definitely make, then absolutely, that
>> simplifies a lot of the design. When preparing this I wasn't 100%
>> confident that this would hold true (maybe
>> $foo${hashspecificstuff},v=1 is different from
>> $foo${hashspecificstuff},v=2), and I didn't want to create a problem
>> for future us. But I suppose we can always extend the protocol if it
>> comes to that.
>
> I think encoding that assumption in PHP is following the general consensus,
> and in the absence of a stronger standard we're not obliged to follow an
> implementation that varies from that consensus anyway. In other words, if
> someone implements MyAwesomeHash as a C library that doesn't use a unique
> prefix of the appropriate form, the PHP wrapper can always prepend
> $MyAwesomeHash$ to the C library's output, and strip it off again when
> verifying.
>
Thanks for the research! I was hoping this was the case, I just
hadn't managed to confirm it.
Unfortunately, I just sat down to implement it and noticed that we
have explicit test cases which verify that only hashes with a prefix
of "$2y" *and* a length of precisely 60 are identified as bcrypt. So
either we need to loosen that check (I'm trying to avoid BC breaks
here), or we create additional identification logic.
My personal take is that, given a preference for maintaining BC, we
should should keep a more generalized ident callback, even though the
fixed prefix is cleaner and more expedient. If we're willing to break
some BC, then I'd *also* vote in favor of making the algo identifiers
be strings instead of numbers.
-Sara
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
