subject:"\[PHP\-DEV\] Password"

Re: [PHP-DEV] Password Digest Registry

2018-10-18 Thread Sara Golemon

On Thu, Oct 18, 2018 at 9:18 AM Sara Golemon wrote: > On Thu, Oct 18, 2018 at 9:16 AM Rowan Collins wrote: > > If so, we could keep BC by having a validate method in each handler, but > > only call it for hashes with the given prefix, and return an error if it > > returns false. > > > That woul

Re: [PHP-DEV] Password Digest Registry

2018-10-18 Thread Sara Golemon

On Thu, Oct 18, 2018 at 9:16 AM Rowan Collins wrote: > On Thu, 18 Oct 2018 at 14:55, Sara Golemon wrote: >> Unfortunately, I just sat down to implement it and noticed that we >> have explicit test cases which verify that only hashes with a prefix >> of "$2y" *and* a length of precisely 60 are ide

Re: [PHP-DEV] Password Digest Registry

2018-10-18 Thread Rowan Collins

On Thu, 18 Oct 2018 at 14:55, Sara Golemon wrote: > Unfortunately, I just sat down to implement it and noticed that we > have explicit test cases which verify that only hashes with a prefix > of "$2y" *and* a length of precisely 60 are identified as bcrypt. So > either we need to loosen that che

Re: [PHP-DEV] Password Digest Registry

2018-10-18 Thread Nicolas Grekas

> > Opening https://wiki.php.net/rfc/password_registry for discussion. > Should the registry support password hashing mechanisms defined in script > code? (I don't think so, but feel free to disagree) > Not for disagreeing but for the discussion: allowing userland to provide algos would allow pr

Re: [PHP-DEV] Password Digest Registry

2018-10-18 Thread Sara Golemon

On Tue, Oct 16, 2018 at 11:54 AM Rowan Collins wrote: > On Tue, 16 Oct 2018 at 16:35, Sara Golemon wrote: >> On Tue, Oct 16, 2018 at 8:43 AM Rowan Collins >> wrote: >> > As I understand it, the purpose of the $foo$ syntax is to uniquely identify >> > each algorithm, so would it make sense to pa

Re: [PHP-DEV] Password Digest Registry

2018-10-16 Thread Rowan Collins

On Tue, 16 Oct 2018 at 16:35, Sara Golemon wrote: > On Tue, Oct 16, 2018 at 8:43 AM Rowan Collins > wrote: > > As I understand it, the purpose of the $foo$ syntax is to uniquely > identify > > each algorithm, so would it make sense to pass the prefix string to the > > register call, and maintain

Re: [PHP-DEV] Password Digest Registry

2018-10-16 Thread Sara Golemon

On Tue, Oct 16, 2018 at 8:43 AM Rowan Collins wrote: > As I understand it, the purpose of the $foo$ syntax is to uniquely identify > each algorithm, so would it make sense to pass the prefix string to the > register call, and maintain a lookup table internally of prefix => handler? > If that's an

Re: [PHP-DEV] Password Digest Registry

2018-10-16 Thread Rowan Collins

On Tue, 16 Oct 2018 at 13:48, Sara Golemon wrote: > I don't consider the current internal API proposal fixed, > particularly, I'm not too keen on the algorithm identification. What > I've presented is a callback for a mechanism to say "Yes, I can verify > that signature", but this means we must

[PHP-DEV] Password Digest Registry

2018-10-16 Thread Sara Golemon

Opening https://wiki.php.net/rfc/password_registry for discussion. It's all in the elevator pitch, but the TL;DR is to make password_hash()/password_verify() into a more easily extensible API for multiple hashing mechanisms. Critically, this would allow us to include new library dependent mechani