[Security] Do not mix usage of password_*() functions and sodium_*() ones
This commit is contained in:
parent
7f04e55856
commit
d6cfde94b4
@ -60,7 +60,9 @@ class Argon2iPasswordEncoder extends BasePasswordEncoder implements SelfSaltingE
|
|||||||
*/
|
*/
|
||||||
public function isPasswordValid($encoded, $raw, $salt)
|
public function isPasswordValid($encoded, $raw, $salt)
|
||||||
{
|
{
|
||||||
if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I')) {
|
// If $encoded was created via "sodium_crypto_pwhash_str()", the hashing algorithm may be "argon2id" instead of "argon2i".
|
||||||
|
// In this case, "password_verify()" cannot be used.
|
||||||
|
if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I') && (false === strpos($encoded, '$argon2id$'))) {
|
||||||
return !$this->isPasswordTooLong($raw) && password_verify($raw, $encoded);
|
return !$this->isPasswordTooLong($raw) && password_verify($raw, $encoded);
|
||||||
}
|
}
|
||||||
if (\function_exists('sodium_crypto_pwhash_str_verify')) {
|
if (\function_exists('sodium_crypto_pwhash_str_verify')) {
|
||||||
|
Reference in New Issue
Block a user