rfc:password_registry
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
rfc:password_registry [2018/10/15 17:06] – created pollita | rfc:password_registry [2018/12/25 13:07] (current) – This RFC has already been implemented cmb | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== PHP RFC: Your Title Here ====== | + | ====== PHP RFC: Password Hashing Registry |
- | * Version: | + | * Version: 1.0 |
* Date: 2018-10-15 | * Date: 2018-10-15 | ||
* Author: Sara Golemon, pollita@php.net | * Author: Sara Golemon, pollita@php.net | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 22: | Line 22: | ||
zend_string* (*hash)(const zend_string* password, zend_array* options); | zend_string* (*hash)(const zend_string* password, zend_array* options); | ||
zend_bool (*verify)(const zend_string* password, const zend_string* hash); | zend_bool (*verify)(const zend_string* password, const zend_string* hash); | ||
- | zend_bool (*needs_rehash)(const zend_string* hash); | + | zend_bool (*needs_rehash)(const zend_string* hash, zend_array *options); |
+ | int (*get_info)(zval *return_value, | ||
zend_bool (*valid)(const zend_string* hash); | zend_bool (*valid)(const zend_string* hash); | ||
}; | }; | ||
- | PHPAPI | + | PHPAPI |
- | PHPAPI php_password_algo* | + | PHPAPI |
- | PHPAPI | + | PHPAPI const php_password_algo* |
- | PHPAPI | + | PHPAPI |
+ | PHPAPI | ||
+ | PHPAPI const php_password_algo* php_password_algo_get_named(const zend_string* name); | ||
+ | PHPAPI php_password_algo* php_password_algo_identify(const zend_string* hash); | ||
| | ||
- | Extensions wishing to provide an algorithm implementation will setup a (typically global const) structure to contain the four method pointers and call **php_password_algo_register()** during MINIT to hook in. The integer value returned by this function will be a process unique integer value which the extension may assign to a constant or leave to discovery via // | + | Extensions wishing to provide an algorithm implementation will setup a (typically global const) structure to contain the four method pointers and call **php_password_algo_register()** during MINIT to hook in. |
The **hash**, **verify**, and **needs_rehash** method pointers function exactly as their PHP userspace functions describe, but don't require an algo ID, as this has already been determined by the exported functions in looking up the algorithm. | The **hash**, **verify**, and **needs_rehash** method pointers function exactly as their PHP userspace functions describe, but don't require an algo ID, as this has already been determined by the exported functions in looking up the algorithm. | ||
- | The **valid** method pointer | + | The **get_info** method pointer |
- | In order to fail-closed, | + | The **valid** |
+ | |||
+ | Because the registry | ||
====== Userspace API ====== | ====== Userspace API ====== | ||
- | An additional function, password_algos(), | + | An additional function, password_algos(), |
> print_r(password_algos()); | > print_r(password_algos()); | ||
Array ( | Array ( | ||
- | [1] => " | + | [0] => " |
- | [2] => " | + | [1] => " |
- | [3] => " | + | [2] => " |
) | ) | ||
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
- | Algorithm | + | Algorithm identifiers are now (nullable) strings rather than numbers. Applications |
+ | |||
+ | Note that PASSWORD_DEFAULT === null. | ||
+ | |||
+ | ====== Minimizing impact to BC ====== | ||
+ | |||
+ | In order to minimize | ||
===== Extension Changes ===== | ===== Extension Changes ===== | ||
- | ext/ | + | ext/ |
===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== | ||
7.next | 7.next | ||
- | |||
- | ===== Open Questions ===== | ||
- | * Should the registry support password hashing mechanisms defined in script code? (I don't think so, but feel free to disagree) | ||
===== Future Scope ===== | ===== Future Scope ===== | ||
- | Review ext/sodium to see if there are additional password hashing algorithms it may be appropriate to enable. | + | * Review ext/sodium to see if there are additional password hashing algorithms it may be appropriate to enable. |
+ | * Consider exposing the registry to script code for the purpose of polyfill libraries. | ||
===== Proposed Voting Choices ===== | ===== Proposed Voting Choices ===== | ||
Simple 50% +1, make the password hashing system extensible via internal-only registry. | Simple 50% +1, make the password hashing system extensible via internal-only registry. | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | |||
+ | |||
+ | Should the above poll pass, the following 50%+1 question asks if we should additionally provide the overloaded behavior described above in " | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | |||
+ | |||
+ | Vote Open: 2018-11-06 17:00 UTC | ||
+ | |||
+ | Vote Closes: 2018-11-20 17:00 UTC | ||
===== Patches and Tests ===== | ===== Patches and Tests ===== | ||
- | To be written. | + | |
+ | Work in progress... | ||
+ | |||
+ | * https:// | ||
===== Implementation ===== | ===== Implementation ===== | ||
- | To be written. | + | |
+ | - Implementation: | ||
+ | - Documentation: | ||
rfc/password_registry.txt · Last modified: 2018/12/25 13:07 by cmb