[ci skip] Add password registry RFC to changelog

Author: petk

NEWS

@@ -33,8 +33,8 @@ PHP                                                                        NEWS
   . Added FFI extension. (Dmitry)
 
 - Filter:
-  . The filter extension no longer have the --with-pcre-dir on Unix builds, 
-    allowing the extension to be once more compiled as shared using 
+  . The filter extension no longer have the --with-pcre-dir on Unix builds,
+    allowing the extension to be once more compiled as shared using
     ./configure. (Kalle)
 
 - FPM:
@@ -108,7 +108,7 @@ PHP                                                                        NEWS
   . Fixed bug #77800 (phpdbg segfaults on listing some conditional breakpoints).
     (krakjoe)
   . Fixed bug #77805 (phpdbg build fails when readline is shared). (krakjoe)
-  
+
 - Sockets:
   . Fixed bug #67619 (Validate length on socket_write). (thiagooak)
 
@@ -132,6 +132,8 @@ PHP                                                                        NEWS
   . Implemented FR #38301 (field enclosure behavior in fputcsv). (cmb)
   . Implemented FR #51496 (fgetcsv should take empty string as an escape). (cmb)
   . Implemented FR #77377 (No way to handle CTRL+C in Windows). (Anatol)
+  . Implemented password hashing registry RFC:
+    https://wiki.php.net/rfc/password_registry. (Sara)
 
 - Reflection:
   . Fixed bug #76737 (Unserialized reflection objects are broken, they

UPGRADING

@@ -102,6 +102,17 @@ PHP 7.4 UPGRADE NOTES
 - Standard:
   . The "o" serialization format has been removed. As it is never produced by
     PHP, this may only break unserialization of manually crafted strings.
+  . Password hashing algorithm identifiers are now nullable strings rather
+    than integers.
+
+     * PASSWORD_DEFAULT was int 1; now is null
+     * PASSWORD_BCRYPT was int 1; now is string '2y'
+     * PASSWORD_ARGON2I was int 2; now is string 'argon2i'
+     * PASSWORD_ARGON2ID was int 3; now is string 'argon2id'
+
+    Applications correctly using the constants PASSWORD_DEFAULT,
+    PASSWORD_BCRYPT, PASSWORD_ARGON2I, and PASSWORD_ARGON2ID will continue to
+    function correctly.
 
 ========================================
 2. New Features
@@ -243,6 +254,9 @@ PHP 7.4 UPGRADE NOTES
     identical to using the default).
   . proc_open() on Windows can be passed a "create_process_group" option. It
     is required, if the child process is supposed to handle CTRL events.
+  . password_hash() now accepts nullable string and int as $algo argument.
+  . password_needs_rehash() now accepts nullable string and int as $algo
+    argument.
 
 ========================================
 6. New Functions
@@ -271,6 +285,9 @@ PHP 7.4 UPGRADE NOTES
     function is expected have a signature "function handler(int $event)".
   . bool sapi_windows_generate_ctrl_event(int type, int pid) - send a CTRL event
     to another process.
+  . array password_algos() - return a complete list of all registered password
+    hashing algorithms. For more details see the RFC:
+    https://wiki.php.net/rfc/password_registry
 
 ========================================
 7. New Classes and Interfaces
@@ -343,9 +360,9 @@ PHP 7.4 UPGRADE NOTES
   . The bundled libsqlite has been removed.  To build the SQLite3 extension
     a system libsqlite3 ≥ 3.7.4 is now required. To build the PDO_SQLite
     extension a system libsqlite3 ≥ 3.5.0 is now required.
-  . (Un)serialization of SQLite3, SQLite3Stmt and SQLite3Result is now explicitly
-    forbidden. Formerly, serialization of instances of these classes was
-    possible, but unserialization yielded unusable objects.
+  . (Un)serialization of SQLite3, SQLite3Stmt and SQLite3Result is now
+    explicitly forbidden. Formerly, serialization of instances of these classes
+    was possible, but unserialization yielded unusable objects.
   . The @param notation can now also be used to denote SQL query parameters.
 
 - Zip: