[Security] Do not mix usage of password_*() functions and sodium_*() ones
This commit is contained in:
parent
7f04e55856
commit
d6cfde94b4
@ -60,7 +60,9 @@ class Argon2iPasswordEncoder extends BasePasswordEncoder implements SelfSaltingE
|
||||
*/
|
||||
public function isPasswordValid($encoded, $raw, $salt)
|
||||
{
|
||||
if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I')) {
|
||||
// If $encoded was created via "sodium_crypto_pwhash_str()", the hashing algorithm may be "argon2id" instead of "argon2i".
|
||||
// In this case, "password_verify()" cannot be used.
|
||||
if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I') && (false === strpos($encoded, '$argon2id$'))) {
|
||||
return !$this->isPasswordTooLong($raw) && password_verify($raw, $encoded);
|
||||
}
|
||||
if (\function_exists('sodium_crypto_pwhash_str_verify')) {
|
||||
|
Reference in New Issue
Block a user