Closed weierophinney closed 3 years ago
I've refactored out the usage of the default constants but it seems like the PHP7.2 binaries from travis-ci have no argon2 support whatsoever, see: https://github.com/travis-ci/travis-ci/issues/8863
Originally posted by @MatthiasKuehneEllerhold at https://github.com/zendframework/zend-crypt/pull/58#issuecomment-387705734
Rebased it unto develop and changed the PR target.
I've tried to orient myself on the existing bcrypt class.
Originally posted by @MatthiasKuehneEllerhold at https://github.com/zendframework/zend-crypt/pull/58#issuecomment-387708114
I've tried to orient myself on the existing bcrypt class.
No worries, I'm just suggesting to get rid of some cruft, especially on new classes. @ezimuel needs to check these, since he's the lead here.
Originally posted by @Ocramius at https://github.com/zendframework/zend-crypt/pull/58#issuecomment-387708490
@MatthiasKuehneEllerhold I forgot to answer to your main questions:
Bcrypt
and Argon2i
but this is ok and actually good for portability purpose, as you already noticed.password_needs_rehash()
function of PHP. The usage of this function is simple and people can use directly it. We don't see any advantages for a wrapper class here.Originally posted by @ezimuel at https://github.com/zendframework/zend-crypt/pull/58#issuecomment-404503253
This package is considered feature-complete, and is now in security-only maintenance mode, following a decision by the Technical Steering Committee. If you have a security issue, please follow our security reporting guidelines. If you wish to take on the role of maintainer, please nominate yourself
This PR adds an extra class for the argon2i password hash algorithm introduced with PHP7.2.
There are some open questions with this:
Do we really want to have 1 new class for each algorithm PHP addes? "Argon2id" is just around the corner...
PHP's
password_verify()
accepts currently both Bcrypt and Argon2i hashes. So basically you could either use theBcrypt
class or theArgon2i
class to verify either hashes. This makes it pretty easy to migrate users from Bcrypt to Argon2i:Argon2i
class as the dependencyDo we need a wrapper function for
password_needs_rehash()
? This would mean we need some kind of inter-class upgrade path (from classBcrypt
toArgon2i
in future php-versions). Although we dont know WHYpassword_needs_rehash()
returns false: is it because of the algorithm or the cost value(s)?This class is marked as PHP7.2+ only (it throws an exception in the constructor). Do we want to provide fallbacks of some kind for older PHP Versions?
Other than the algorithm no other PHP7.2+ specific features were used in this class (e. g. scalar type hints and return types) because a syntax error is much more heavy and harder to catch than a constructor-exception (Pre 7.0). Should type hints and return types get added because its a PHP7.2+ class anyway?
Originally posted by @MatthiasKuehneEllerhold at https://github.com/zendframework/zend-crypt/pull/58