README

xpass extension for PHP

This extension provides password hashing algorithms used by Linux distributions.

• sha512 ($6$) provided for legacy as used on some old distributions (ex: RHEL-8)
• yescrypt ($y$) used on modern distributions

Notices: these can be fast, don't expect improved security level.

It also provides additional functions from libxcrypt missing in core PHP:

• crypt_preferred_method: get the prefix of the preferred hash method
• crypt_gensalt: encode settings for passphrase hashing
• crypt_checksalt: validate a crypt setting string

See the Linux man pages or PHP Documentation

Computation time

• bcrypt: 0.33"
• argon2i: 0.53"
• argon2id: 0.55"
• sha512: 0.01"
• yescrypt: 0.07" with default cost of 5
• yescrypt: 0.14" with cost=6
• yescrypt: 0.30" with cost=7
• yescrypt: 0.62" with cost=8

Sources

• Official git repository: https://git.remirepo.net/cgit/tools/php-xpass.git/
• Mirror on github for contributors: https://github.com/remicollet/php-xpass

Build

Compatible with PHP 8.0 or greater.

It is recommended to ensure PHP is built using --with-external-libcrypt option.

You need the Extended crypt library development files (libxcrypt-devel, libcrypt-dev) version 4.4 or greater.

From the sources tree

$ phpize
$ ./configure --enable-xpass
$ make
$ make test

From https://pecl.php.net/ using pecl command

$ pecl install xpass

From https://packagist.org/ using PHP Installer for Extensions

$ pie install remi/xpass

Usage

password hashing and verifying

$ php -a

php > var_dump($hash = password_hash("secret", PASSWORD_SHA512));
string(106) "$6$y2T3Ql8zEgzbpZeK$s42Q92ggqycC280QMx4.bid1gKI8ghM7ZQJF.F.fbY49Cqj/gnS9h3CiOXyYh0pvtisqiNavSPJP8ZR9Ty7RX1"

php > var_dump($hash = password_hash("secret", PASSWORD_YESCRYPT));
string(73) "$y$j9T$X9Va6i3zHjyKGJAskYZPv.$i1m/WR1C6/tqhB7IdOsi9Ar1JF4Qr38vBx104ao1OS5"

php > var_dump($hash = password_hash("secret", PASSWORD_YESCRYPT, ['cost'=>7]));
string(73) "$y$jBT$bo5CcI5fdsyad1Av.vgLQ.$FgOq74zufVvkOL/q4OBmcKDMMXJB9VzrJXEZrhoVjf6"

php > var_dump(password_verify("secret", $hash));
bool(true)

supported options

• cost controls the CPU time cost of the hash. If cost is 0, a reasonable default cost will be selected.

crypt helpers

$ php -a

php > var_dump(crypt_preferred_method());
string(3) "$y$"

php > var_dump($salt = crypt_gensalt());
string(29) "$y$j9T$EitfN8MxRjFzV5tNe97D70"

php > var_dump(crypt_checksalt($salt) == CRYPT_SALT_OK);
bool(true)

php > var_dump($hash = crypt("secret", $salt));
string(73) "$y$j9T$EitfN8MxRjFzV5tNe97D70$vGtxczdGMTLh0LfpwxAmyzgba7EODsmazEh03kpvbh3"

php > var_dump($hash === crypt("secret", $hash));
bool(true)

LICENSE

Author: Remi Collet

This extension is licensed under The PHP License, version 3.01

History

Created on user request for consistency with system crypto.