blob: e632a4121f0a4faa21c558ffa149954cbf0bdedd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
# xpass extension for PHP
This extension provides password hashing algorithms used by Linux distributions.
* **sha512** (`$6$`) provided for legacy as used on some old distributions (ex: RHEL-8)
* **yescrypt** (`$y$`) used on modern distributions
Notices: these can be fast, don't expect improved security level.
It also provides additional functions from libxcrypt missing in core PHP:
* `crypt_preferred_method`: get the prefix of the preferred hash method
* `crypt_gensalt`: encode settings for passphrase hashing
* `crypt_checksalt`: validate a crypt setting string
See the Linux man pages.
**Computation time**
* bcrypt: 0.33"
* argon2i: 0.53"
* argon2id: 0.55"
* sha512: 0.01"
* yescrypt: 0.07" with default cost of 5
* yescrypt: 0.14" with cost=6
* yescrypt: 0.30" with cost=7
* yescrypt: 0.62" with cost=8
# Sources
* Official git repository: https://git.remirepo.net/cgit/tools/php-xpass.git/
* Mirror on github for contributors: https://github.com/remicollet/php-xpass
# Build
Compatible with PHP 8.0 or greater.
You need the Extended crypt library development files (libxcrypt-devel, libcrypt-dev)
version 4.4 or greater.
From the sources tree
$ phpize
$ ./configure --enable-xpass
$ make
$ make test
# Usage
## password hashing and verifying
$ php -a
php > var_dump($hash = password_hash("secret", PASSWORD_SHA512));
string(106) "$6$y2T3Ql8zEgzbpZeK$s42Q92ggqycC280QMx4.bid1gKI8ghM7ZQJF.F.fbY49Cqj/gnS9h3CiOXyYh0pvtisqiNavSPJP8ZR9Ty7RX1"
php > var_dump($hash = password_hash("secret", PASSWORD_YESCRYPT));
string(73) "$y$j9T$X9Va6i3zHjyKGJAskYZPv.$i1m/WR1C6/tqhB7IdOsi9Ar1JF4Qr38vBx104ao1OS5"
php > var_dump($hash = password_hash("secret", PASSWORD_YESCRYPT, ['cost'=>7]));
string(73) "$y$jBT$bo5CcI5fdsyad1Av.vgLQ.$FgOq74zufVvkOL/q4OBmcKDMMXJB9VzrJXEZrhoVjf6"
php > var_dump(password_verify("secret", $hash));
bool(true)
## supported options
* `cost` controls the CPU time cost of the hash. If `cost` is 0, a reasonable default cost will be selected.
## crypt helpers
$ php -a
php > var_dump(crypt_preferred_method());
string(3) "$y$"
php > var_dump($salt = crypt_gensalt());
string(29) "$y$j9T$EitfN8MxRjFzV5tNe97D70"
php > var_dump(crypt_checksalt($salt) == CRYPT_SALT_OK);
bool(true)
php > var_dump($hash = crypt("secret", $salt));
string(73) "$y$j9T$EitfN8MxRjFzV5tNe97D70$vGtxczdGMTLh0LfpwxAmyzgba7EODsmazEh03kpvbh3"
php > var_dump($hash === crypt("secret", $hash));
bool(true)
# LICENSE
Author: Remi Collet
This extension is licensed under [The PHP License, version 3.01](http://www.php.net/license/3_01.txt)
# History
Created on user request for consistency with system crypto.
|