From 799a2eae2d732d7b883f7ff7f30ec0aceb429b10 Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Sun, 27 Oct 2019 12:35:02 +0100 Subject: [PATCH] [Security/Core] make NativePasswordEncoder use sodium to validate passwords when possible --- .../Core/Encoder/NativePasswordEncoder.php | 31 +++++++++++-------- .../Core/Encoder/SodiumPasswordEncoder.php | 2 +- 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php index 1e09992afed4e..364cd19236ec2 100644 --- a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php +++ b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php @@ -45,7 +45,7 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos throw new \InvalidArgumentException('$cost must be in the range of 4-31.'); } - $this->algo = \defined('PASSWORD_ARGON2I') ? max(PASSWORD_DEFAULT, \defined('PASSWORD_ARGON2ID') ? PASSWORD_ARGON2ID : PASSWORD_ARGON2I) : PASSWORD_DEFAULT; + $this->algo = \defined('PASSWORD_ARGON2ID') ? PASSWORD_ARGON2ID : (\defined('PASSWORD_ARGON2I') ? PASSWORD_ARGON2I : PASSWORD_BCRYPT); $this->options = [ 'cost' => $cost, 'time_cost' => $opsLimit, @@ -59,20 +59,13 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos */ public function encodePassword($raw, $salt) { - if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) { + if (\strlen($raw) > self::MAX_PASSWORD_LENGTH || (PASSWORD_BCRYPT === $this->algo && 72 < \strlen($raw))) { throw new BadCredentialsException('Invalid password.'); } // Ignore $salt, the auto-generated one is always the best - $encoded = password_hash($raw, $this->algo, $this->options); - - if (72 < \strlen($raw) && 0 === strpos($encoded, '$2')) { - // BCrypt encodes only the first 72 chars - throw new BadCredentialsException('Invalid password.'); - } - - return $encoded; + return password_hash($raw, $this->algo, $this->options); } /** @@ -80,11 +73,23 @@ public function encodePassword($raw, $salt) */ public function isPasswordValid($encoded, $raw, $salt) { - if (72 < \strlen($raw) && 0 === strpos($encoded, '$2')) { - // BCrypt encodes only the first 72 chars + if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) { return false; } - return \strlen($raw) <= self::MAX_PASSWORD_LENGTH && password_verify($raw, $encoded); + if (0 === strpos($encoded, '$2')) { + // BCrypt encodes only the first 72 chars + return 72 >= \strlen($raw) && password_verify($raw, $encoded); + } + + if (\extension_loaded('sodium') && version_compare(\SODIUM_LIBRARY_VERSION, '1.0.14', '>=')) { + return sodium_crypto_pwhash_str_verify($encoded, $raw); + } + + if (\extension_loaded('libsodium') && version_compare(phpversion('libsodium'), '1.0.14', '>=')) { + return \Sodium\crypto_pwhash_str_verify($encoded, $raw); + } + + return password_verify($raw, $encoded); } } diff --git a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php index 934a3fdfca528..9c794004111a6 100644 --- a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php +++ b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php @@ -93,6 +93,6 @@ public function isPasswordValid($encoded, $raw, $salt) return \Sodium\crypto_pwhash_str_verify($encoded, $raw); } - throw new LogicException('Libsodium is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.'); + return false; } } pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy