Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 0a9a6ba

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
bug #34763 [Security/Core] Fix checking for SHA256/SHA512 passwords (David Brooks)
This PR was merged into the 4.4 branch. Discussion ---------- [Security/Core] Fix checking for SHA256/SHA512 passwords | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #... <!-- prefix each issue number with "Fix #", if any --> | License | MIT | Doc PR | symfony/symfony-docs#... <!-- required for new features --> <!-- The code to validate bcrypt passwords (#31763) needs to include SHA256 and SHA512-hashed passwords. These are used on RedHat (and derived) systems. Since SHA256/512 don't appear to have a limit of 72 characters, I simply created a new if() block. --> Commits ------- 799c85b [Security/Core] Fix checking for SHA256/SHA512 passwords
2 parents f75e9d5 + 799c85b commit 0a9a6ba
Copy full SHA for 0a9a6ba

File tree

Expand file treeCollapse file tree

4 files changed

+23
-5
lines changed
Filter options
Expand file treeCollapse file tree

4 files changed

+23
-5
lines changed

‎src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,9 @@ public function isPasswordValid($encoded, $raw, $salt): bool
8080
return false;
8181
}
8282

83-
if (0 === strpos($encoded, '$2')) {
83+
if (0 !== strpos($encoded, '$argon')) {
8484
// BCrypt encodes only the first 72 chars
85-
return 72 >= \strlen($raw) && password_verify($raw, $encoded);
85+
return (72 >= \strlen($raw) || 0 !== strpos($encoded, '$2')) && password_verify($raw, $encoded);
8686
}
8787

8888
if (\extension_loaded('sodium') && version_compare(\SODIUM_LIBRARY_VERSION, '1.0.14', '>=')) {

‎src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
+3-3Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,9 @@ public function isPasswordValid($encoded, $raw, $salt): bool
8080
return false;
8181
}
8282

83-
if (72 >= \strlen($raw) && 0 === strpos($encoded, '$2')) {
84-
// Accept validating BCrypt passwords for seamless migrations
85-
return password_verify($raw, $encoded);
83+
if (0 !== strpos($encoded, '$argon')) {
84+
// Accept validating non-argon passwords for seamless migrations
85+
return (72 >= \strlen($raw) || 0 !== strpos($encoded, '$2')) && password_verify($raw, $encoded);
8686
}
8787

8888
if (\function_exists('sodium_crypto_pwhash_str_verify')) {

‎src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php
+9Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,15 @@ public function testValidation()
5555
$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
5656
}
5757

58+
public function testNonArgonValidation()
59+
{
60+
$encoder = new NativePasswordEncoder();
61+
$this->assertTrue($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'password', null));
62+
$this->assertFalse($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'anotherPassword', null));
63+
$this->assertTrue($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'password', null));
64+
$this->assertFalse($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'anotherPassword', null));
65+
}
66+
5867
public function testConfiguredAlgorithm()
5968
{
6069
$encoder = new NativePasswordEncoder(null, null, null, PASSWORD_BCRYPT);

‎src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php
+9Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,15 @@ public function testBCryptValidation()
3737
$this->assertTrue($encoder->isPasswordValid('$2y$04$M8GDODMoGQLQRpkYCdoJh.lbiZPee3SZI32RcYK49XYTolDGwoRMm', 'abc', null));
3838
}
3939

40+
public function testNonArgonValidation()
41+
{
42+
$encoder = new SodiumPasswordEncoder();
43+
$this->assertTrue($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'password', null));
44+
$this->assertFalse($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'anotherPassword', null));
45+
$this->assertTrue($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'password', null));
46+
$this->assertFalse($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'anotherPassword', null));
47+
}
48+
4049
public function testEncodePasswordLength()
4150
{
4251
$this->expectException('Symfony\Component\Security\Core\Exception\BadCredentialsException');

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.