[RFC][DISCUSSION] Argon2id in Password Hash

  101777
February 5, 2018 15:43 charlesportwoodii@erianna.com ("Charles R. Portwood II")
Hello Internals,

I would like to propose adding Argon2id to the password_* functions in PHP
7.3.

An RFC[1] has been prepared which covers implementation details, and some
common questions & concerns that I have anticipated. This RFC also includes
a tested and working implementation[2] to illustrate changes to PHP itself.

The biggest question at this time is how we want to handle versioning of
the Argon2 reference library. The RFC covers this issue in detail and
provides a solution that ensures no BC breakage for existing users.

I look forward to hearing your feedback. Thanks.

[1] https://wiki.php.net/rfc/argon2_password_hash_enhancements
[2]: https://github.com/php/php-src/compare/master...
charlesportwoodii:argon2_password_hash_enhancements?expand=1

---

Charles R. Portwood II
  102122
May 22, 2018 15:51 charlesportwoodii@erianna.com ("Charles R. Portwood II")
On Feb 5, 2018, 9:43 AM -0600, Charles R. Portwood II <charlesportwoodii@erianna.com>, wrote:

> Hello Internals, > > I would like to propose adding Argon2id to the password_* functions in PHP 7.3. > > An RFC[1] has been prepared which covers implementation details, and some common questions & concerns that I have anticipated. This RFC also includes a tested and working implementation[2] to illustrate changes to PHP itself. > > The biggest question at this time is how we want to handle versioning of the Argon2 reference library. The RFC covers this issue in detail and provides a solution that ensures no BC breakage for existing users. > > I look forward to hearing your feedback. Thanks. > > [1] https://wiki.php.net/rfc/argon2_password_hash_enhancements > [2]: https://github.com/php/php-src/compare/master...charlesportwoodii:argon2_password_hash_enhancements?expand=1 > > --- > > Charles R. Portwood II
Hello Internals, I would like to follow up on the RFC to add Argon2id to the password_* functions in PHP 7.3. The discussion itself[1] didn’t seem to gather much attention since it was posted in February, however there has been some discussions[2] in a separate thread inquiring about the status of Argon2 in PHP in general. I’ve updated the RFC[3] based upon discussions I’ve had with individuals outside of the mailing list. With this update the RFC now recommends forcing an libargon2 version >= 20161029 during configure for the --with-password-argon2 flag, providing password_* with support for both Argon2i and Argon2id. I would like to target PHP 7.3 with this RFC. Since there haven’t been any major discussion points raised since the RFC is introduced back in February, I would like to offer another an opportunity for additional discussion before I submit this RFC for a vote in the next few weeks. I look forward to hearing your feedback! Thanks. [1]: https://externals.io/message/101777 [2]: https://externals.io/message/102041#102042 [3]: https://wiki.php.net/rfc/argon2_password_hash_enhancements --- Charles R. Portwood II