From 50590dce81cae24cc0dd97918403df59bc5cdfda Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Wed, 17 Apr 2019 21:13:54 +0200 Subject: [PATCH] [Security] add PasswordEncoderInterface::needsRehash() --- UPGRADE-4.4.md | 5 +++++ UPGRADE-5.0.md | 1 + src/Symfony/Component/Security/CHANGELOG.md | 5 +++++ .../Core/Encoder/BasePasswordEncoder.php | 8 +++++++ .../Core/Encoder/NativePasswordEncoder.php | 8 +++++++ .../Core/Encoder/PasswordEncoderInterface.php | 2 ++ .../Core/Encoder/SodiumPasswordEncoder.php | 16 ++++++++++++++ .../Core/Encoder/UserPasswordEncoder.php | 10 +++++++++ .../Encoder/UserPasswordEncoderInterface.php | 2 ++ .../Tests/Encoder/BasePasswordEncoderTest.php | 6 +++++ .../Encoder/NativePasswordEncoderTest.php | 13 +++++++++++ .../Encoder/SodiumPasswordEncoderTest.php | 13 +++++++++++ .../Tests/Encoder/UserPasswordEncoderTest.php | 22 +++++++++++++++++++ 13 files changed, 111 insertions(+) diff --git a/UPGRADE-4.4.md b/UPGRADE-4.4.md index 73d80523a25d6..822164d41c4c4 100644 --- a/UPGRADE-4.4.md +++ b/UPGRADE-4.4.md @@ -41,6 +41,11 @@ MonologBridge * The `RouteProcessor` has been marked final. +Security +-------- + + * Implementations of `PasswordEncoderInterface` and `UserPasswordEncoderInterface` should add a new `needsRehash()` method + TwigBridge ---------- diff --git a/UPGRADE-5.0.md b/UPGRADE-5.0.md index 1f1bd58ff57cb..72c7b28288411 100644 --- a/UPGRADE-5.0.md +++ b/UPGRADE-5.0.md @@ -313,6 +313,7 @@ Routing Security -------- + * Implementations of `PasswordEncoderInterface` and `UserPasswordEncoderInterface` must have a new `needsRehash()` method * The `Role` and `SwitchUserRole` classes have been removed. * The `getReachableRoles()` method of the `RoleHierarchy` class has been removed. It has been replaced by the new `getReachableRoleNames()` method. diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md index 24d15f7e78467..78fba3fa9972d 100644 --- a/src/Symfony/Component/Security/CHANGELOG.md +++ b/src/Symfony/Component/Security/CHANGELOG.md @@ -1,6 +1,11 @@ CHANGELOG ========= +4.4.0 +----- + + * Added method `needsRehash()` to `PasswordEncoderInterface` and `UserPasswordEncoderInterface` + 4.3.0 ----- diff --git a/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php index 3c3ea1aa17366..2609b3c7aa3d7 100644 --- a/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php +++ b/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php @@ -20,6 +20,14 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface { const MAX_PASSWORD_LENGTH = 4096; + /** + * {@inheritdoc} + */ + public function needsRehash(string $encoded): bool + { + return false; + } + /** * Demerges a merge password and salt string. * diff --git a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php index a99d064eeb3e2..a05eb288e5de2 100644 --- a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php +++ b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php @@ -87,4 +87,12 @@ public function isPasswordValid($encoded, $raw, $salt) return \strlen($raw) <= self::MAX_PASSWORD_LENGTH && password_verify($raw, $encoded); } + + /** + * {@inheritdoc} + */ + public function needsRehash(string $encoded): bool + { + return password_needs_rehash($encoded, $this->algo, $this->options); + } } diff --git a/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php b/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php index e0573051eb273..748b82d859a15 100644 --- a/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php +++ b/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php @@ -17,6 +17,8 @@ * PasswordEncoderInterface is the interface for all encoders. * * @author Fabien Potencier + * + * @method bool needsRehash(string $encoded) */ interface PasswordEncoderInterface { diff --git a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php index e9bd6a63c94d2..82cb1e17dd1d1 100644 --- a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php +++ b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php @@ -99,4 +99,20 @@ public function isPasswordValid($encoded, $raw, $salt) throw new LogicException('Libsodium is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.'); } + + /** + * {@inheritdoc} + */ + public function needsRehash(string $encoded): bool + { + if (\function_exists('sodium_crypto_pwhash_str_needs_rehash')) { + return \sodium_crypto_pwhash_str_needs_rehash($encoded, $this->opsLimit, $this->memLimit); + } + + if (\extension_loaded('libsodium')) { + return \Sodium\crypto_pwhash_str_needs_rehash($encoded, $this->opsLimit, $this->memLimit); + } + + throw new LogicException('Libsodium is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.'); + } } diff --git a/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php index 3efc8c6d48bb5..ad9d929deb4cd 100644 --- a/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php +++ b/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php @@ -46,4 +46,14 @@ public function isPasswordValid(UserInterface $user, $raw) return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt()); } + + /** + * {@inheritdoc} + */ + public function needsRehash(UserInterface $user, string $encoded): bool + { + $encoder = $this->encoderFactory->getEncoder($user); + + return method_exists($encoder, 'needsRehash') && $encoder->needsRehash($encoded); + } } diff --git a/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoderInterface.php b/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoderInterface.php index 7861caab20ca6..911bbe5282d9d 100644 --- a/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoderInterface.php +++ b/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoderInterface.php @@ -17,6 +17,8 @@ * UserPasswordEncoderInterface is the interface for the password encoder service. * * @author Ariel Ferrandini + * + * @method bool needsRehash(UserInterface $user, string $encoded) */ interface UserPasswordEncoderInterface { diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/BasePasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/BasePasswordEncoderTest.php index 2251cfdf906e0..2b101c3b3b606 100644 --- a/src/Symfony/Component/Security/Core/Tests/Encoder/BasePasswordEncoderTest.php +++ b/src/Symfony/Component/Security/Core/Tests/Encoder/BasePasswordEncoderTest.php @@ -60,6 +60,12 @@ public function testIsPasswordTooLong() $this->assertFalse($this->invokeIsPasswordTooLong(str_repeat('a', 10))); } + public function testNeedsRehash() + { + $encoder = new PasswordEncoder(); + $this->assertFalse($encoder->needsRehash('foo')); + } + protected function invokeDemergePasswordAndSalt($password) { $encoder = new PasswordEncoder(); diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php index 681b91a1eeec5..55e518b49100c 100644 --- a/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php +++ b/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php @@ -67,4 +67,17 @@ public function testCheckPasswordLength() $this->assertFalse($encoder->isPasswordValid($result, str_repeat('a', 73), 'salt')); $this->assertTrue($encoder->isPasswordValid($result, str_repeat('a', 72), 'salt')); } + + public function testNeedsRehash() + { + $encoder = new NativePasswordEncoder(4, 11000, 4); + + $this->assertTrue($encoder->needsRehash('dummyhash')); + + $hash = $encoder->encodePassword('foo', 'salt'); + $this->assertFalse($encoder->needsRehash($hash)); + + $encoder = new NativePasswordEncoder(5, 11000, 5); + $this->assertTrue($encoder->needsRehash($hash)); + } } diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php index 84c8b4849e2b5..daa0da0120cb2 100644 --- a/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php +++ b/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php @@ -60,4 +60,17 @@ public function testUserProvidedSaltIsNotUsed() $result = $encoder->encodePassword('password', 'salt'); $this->assertTrue($encoder->isPasswordValid($result, 'password', 'anotherSalt')); } + + public function testNeedsRehash() + { + $encoder = new SodiumPasswordEncoder(4, 11000); + + $this->assertTrue($encoder->needsRehash('dummyhash')); + + $hash = $encoder->encodePassword('foo', 'salt'); + $this->assertFalse($encoder->needsRehash($hash)); + + $encoder = new SodiumPasswordEncoder(5, 11000); + $this->assertTrue($encoder->needsRehash($hash)); + } } diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/UserPasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/UserPasswordEncoderTest.php index 41a602f976047..9bd10a964282c 100644 --- a/src/Symfony/Component/Security/Core/Tests/Encoder/UserPasswordEncoderTest.php +++ b/src/Symfony/Component/Security/Core/Tests/Encoder/UserPasswordEncoderTest.php @@ -12,7 +12,10 @@ namespace Symfony\Component\Security\Core\Tests\Encoder; use PHPUnit\Framework\TestCase; +use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface; +use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder; use Symfony\Component\Security\Core\Encoder\UserPasswordEncoder; +use Symfony\Component\Security\Core\User\User; class UserPasswordEncoderTest extends TestCase { @@ -68,4 +71,23 @@ public function testIsPasswordValid() $isValid = $passwordEncoder->isPasswordValid($userMock, 'plainPassword'); $this->assertTrue($isValid); } + + public function testNeedsRehash() + { + $user = new User('username', null); + $encoder = new NativePasswordEncoder(4, 20000, 4); + + $mockEncoderFactory = $this->getMockBuilder(EncoderFactoryInterface::class)->getMock(); + $mockEncoderFactory->expects($this->any()) + ->method('getEncoder') + ->with($user) + ->will($this->onConsecutiveCalls($encoder, $encoder, new NativePasswordEncoder(5, 20000, 5), $encoder)); + + $passwordEncoder = new UserPasswordEncoder($mockEncoderFactory); + + $hash = $passwordEncoder->encodePassword($user, 'foo', 'salt'); + $this->assertFalse($passwordEncoder->needsRehash($user, $hash)); + $this->assertTrue($passwordEncoder->needsRehash($user, $hash)); + $this->assertFalse($passwordEncoder->needsRehash($user, $hash)); + } } pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy