From c0fc45682ad49b825dfe017716956b09ddf2b81a Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Fri, 31 May 2019 11:10:50 +0200 Subject: [PATCH] [Security\Core] Make SodiumPasswordEncoder validate BCrypt-ed passwords --- .../Security/Core/Encoder/SodiumPasswordEncoder.php | 5 +++++ .../Core/Tests/Encoder/SodiumPasswordEncoderTest.php | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php index 96fbdca173324..e9bd6a63c94d2 100644 --- a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php +++ b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php @@ -84,6 +84,11 @@ public function isPasswordValid($encoded, $raw, $salt) return false; } + if (72 >= \strlen($raw) && 0 === strpos($encoded, '$2')) { + // Accept validating BCrypt passwords for seamless migrations + return password_verify($raw, $encoded); + } + if (\function_exists('sodium_crypto_pwhash_str_verify')) { return \sodium_crypto_pwhash_str_verify($encoded, $raw); } diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php index fe9e5db0eb4cb..84c8b4849e2b5 100644 --- a/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php +++ b/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php @@ -31,6 +31,12 @@ public function testValidation() $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null)); } + public function testBCryptValidation() + { + $encoder = new SodiumPasswordEncoder(); + $this->assertTrue($encoder->isPasswordValid('$2y$04$M8GDODMoGQLQRpkYCdoJh.lbiZPee3SZI32RcYK49XYTolDGwoRMm', 'abc', null)); + } + /** * @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException */ pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy