On Thu, 18 Oct 2018 at 14:55, Sara Golemon <poll...@php.net> wrote:
> Unfortunately, I just sat down to implement it and noticed that we
> have explicit test cases which verify that only hashes with a prefix
> of "$2y" *and* a length of precisely 60 are identified as bcrypt. So
> either we need to loosen that check (I'm trying to avoid BC breaks
> here), or we create additional identification logic.
>
Hm... what does length != 60 currently generate - presumably it's just an
"unrecognised format" error of some sort?
If so, we could keep BC by having a validate method in each handler, but
only call it for hashes with the given prefix, and return an error if it
returns false.
So in PHP terms:
$prefix = extract_prefix($hash);
$handler = $registry[$prefix];
if ( is_null($handler) || ! $handler->validate($hash) ) {
throw new UnrecognisedHashError;
}
This would also allow handlers to reject other invalid strings, such as
$knownAlgo$nonExistentOption=error$abc123
Regards,
--
Rowan Collins
[IMSoP]
