diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Security/Core] Fix checking for SHA256/SHA512 passwords

Browse Source
This commit is contained in:
David Brooks 2019-12-02 11:44:44 -05:00 committed by Nicolas Grekas
parent f75e9d583c
commit 799c85b67c
4 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
View File

@ -80,9 +80,9 @@ final class NativePasswordEncoder implements PasswordEncoderInterface, SelfSalti
return false;
}
if (0 === strpos($encoded, '$2')) {
if (0 !== strpos($encoded, '$argon')) {
// BCrypt encodes only the first 72 chars
return 72 >= \strlen($raw) && password_verify($raw, $encoded);
return (72 >= \strlen($raw) || 0 !== strpos($encoded, '$2')) && password_verify($raw, $encoded);
}
if (\extension_loaded('sodium') && version_compare(\SODIUM_LIBRARY_VERSION, '1.0.14', '>=')) {

6
src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
View File

@ -80,9 +80,9 @@ final class SodiumPasswordEncoder implements PasswordEncoderInterface, SelfSalti
return false;
}
if (72 >= \strlen($raw) && 0 === strpos($encoded, '$2')) {
// Accept validating BCrypt passwords for seamless migrations
return password_verify($raw, $encoded);
if (0 !== strpos($encoded, '$argon')) {
// Accept validating non-argon passwords for seamless migrations
return (72 >= \strlen($raw) || 0 !== strpos($encoded, '$2')) && password_verify($raw, $encoded);
}
if (\function_exists('sodium_crypto_pwhash_str_verify')) {

9
src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php
View File

@ -55,6 +55,15 @@ class NativePasswordEncoderTest extends TestCase
$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
}
public function testNonArgonValidation()
{
$encoder = new NativePasswordEncoder();
$this->assertTrue($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'password', null));
$this->assertFalse($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'anotherPassword', null));
$this->assertTrue($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'password', null));
$this->assertFalse($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'anotherPassword', null));
}
public function testConfiguredAlgorithm()
{
$encoder = new NativePasswordEncoder(null, null, null, PASSWORD_BCRYPT);

9
src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php
View File

@ -37,6 +37,15 @@ class SodiumPasswordEncoderTest extends TestCase
$this->assertTrue($encoder->isPasswordValid('$2y$04$M8GDODMoGQLQRpkYCdoJh.lbiZPee3SZI32RcYK49XYTolDGwoRMm', 'abc', null));
}
public function testNonArgonValidation()
{
$encoder = new SodiumPasswordEncoder();
$this->assertTrue($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'password', null));
$this->assertFalse($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'anotherPassword', null));
$this->assertTrue($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'password', null));
$this->assertFalse($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'anotherPassword', null));
}
public function testEncodePasswordLength()
{
$this->expectException('Symfony\Component\Security\Core\Exception\BadCredentialsException');