On Thu, Oct 18, 2018 at 9:16 AM Rowan Collins <rowan.coll...@gmail.com> wrote: > On Thu, 18 Oct 2018 at 14:55, Sara Golemon <poll...@php.net> wrote: >> Unfortunately, I just sat down to implement it and noticed that we >> have explicit test cases which verify that only hashes with a prefix >> of "$2y" *and* a length of precisely 60 are identified as bcrypt. So >> either we need to loosen that check (I'm trying to avoid BC breaks >> here), or we create additional identification logic. > > Hm... what does length != 60 currently generate - presumably it's just an > "unrecognised format" error of some sort? > For the purposes of rehash/verify, an "unknown algorithm" is equivalent to bcrypt as a fallback. password_get_info() makes the distinction, however.
> If so, we could keep BC by having a validate method in each handler, but only > call it for hashes with the given prefix, and return an error if it returns > false. > That would address this, *and* provide that more-general mechanism. +1 -Sara -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
