Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 702a3ee

Browse filesBrowse files
chalasrchalasr
committed
feature #40176 [PasswordHasher] Use bcrypt as default hash algorithm for "native" and "auto" (chalasr)
This PR was merged into the 5.3-dev branch. Discussion ---------- [PasswordHasher] Use bcrypt as default hash algorithm for "native" and "auto" | Q | A | ------------- | --- | Branch? | 5.x | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - As suggested in #39802 (comment), based on https://twitter.com/TerahashCorp/status/1155129705034653698 Commits ------- 332817a Use bcrypt as default password hash algorithm for "native" and "auto"
2 parents d1fbf75 + 332817a commit 702a3ee
Copy full SHA for 702a3ee

File tree

4 files changed

+25
-10
lines changed
Filter options

4 files changed

+25
-10
lines changed

‎src/Symfony/Component/PasswordHasher/CHANGELOG.md

Copy file name to clipboardExpand all lines: src/Symfony/Component/PasswordHasher/CHANGELOG.md
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,3 +2,4 @@
22
---
33

44
* Add the component
5+
* Use `bcrypt` as default algorithm in `NativePasswordHasher`

‎src/Symfony/Component/PasswordHasher/Hasher/NativePasswordHasher.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/PasswordHasher/Hasher/NativePasswordHasher.php
+3-3Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ final class NativePasswordHasher implements PasswordHasherInterface
2929
private $options;
3030

3131
/**
32-
* @param string|null $algo An algorithm supported by password_hash() or null to use the stronger available algorithm
32+
* @param string|null $algo An algorithm supported by password_hash() or null to use the best available algorithm
3333
*/
3434
public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null, ?string $algo = null)
3535
{
@@ -52,11 +52,11 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos
5252
$algos = [1 => \PASSWORD_BCRYPT, '2y' => \PASSWORD_BCRYPT];
5353

5454
if (\defined('PASSWORD_ARGON2I')) {
55-
$this->algo = $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;
55+
$algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;
5656
}
5757

5858
if (\defined('PASSWORD_ARGON2ID')) {
59-
$this->algo = $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;
59+
$algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;
6060
}
6161

6262
if (null !== $algo) {

‎src/Symfony/Component/PasswordHasher/Hasher/PasswordHasherFactory.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/PasswordHasher/Hasher/PasswordHasherFactory.php
+11-5Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,9 @@
1111

1212
namespace Symfony\Component\PasswordHasher\Hasher;
1313

14-
use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
1514
use Symfony\Component\PasswordHasher\Exception\LogicException;
1615
use Symfony\Component\PasswordHasher\PasswordHasherInterface;
16+
use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
1717

1818
/**
1919
* A generic hasher factory implementation.
@@ -103,9 +103,15 @@ private function createHasher(array $config, bool $isExtra = false): PasswordHas
103103
private function getHasherConfigFromAlgorithm(array $config): array
104104
{
105105
if ('auto' === $config['algorithm']) {
106-
$hasherChain = [];
107106
// "plaintext" is not listed as any leaked hashes could then be used to authenticate directly
108-
foreach ([SodiumPasswordHasher::isSupported() ? 'sodium' : 'native', 'pbkdf2', $config['hash_algorithm']] as $algo) {
107+
if (SodiumPasswordHasher::isSupported()) {
108+
$algos = ['native', 'sodium', 'pbkdf2', $config['hash_algorithm']];
109+
} else {
110+
$algos = ['native', 'pbkdf2', $config['hash_algorithm']];
111+
}
112+
113+
$hasherChain = [];
114+
foreach ($algos as $algo) {
109115
$config['algorithm'] = $algo;
110116
$hasherChain[] = $this->createHasher($config, true);
111117
}
@@ -186,7 +192,7 @@ private function getHasherConfigFromAlgorithm(array $config): array
186192
$config['algorithm'] = 'native';
187193
$config['native_algorithm'] = \PASSWORD_ARGON2I;
188194
} else {
189-
throw new LogicException(sprintf('Algorithm "argon2i" is not available. Either use %s"auto" or upgrade to PHP 7.2+ instead.', \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? '"argon2id", ' : ''));
195+
throw new LogicException(sprintf('Algorithm "argon2i" is not available. Use "%s" instead.', \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? 'argon2id" or "auto' : 'auto'));
190196
}
191197

192198
return $this->getHasherConfigFromAlgorithm($config);
@@ -198,7 +204,7 @@ private function getHasherConfigFromAlgorithm(array $config): array
198204
$config['algorithm'] = 'native';
199205
$config['native_algorithm'] = \PASSWORD_ARGON2ID;
200206
} else {
201-
throw new LogicException(sprintf('Algorithm "argon2id" is not available. Either use %s"auto", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.', \defined('PASSWORD_ARGON2I') || $hasSodium ? '"argon2i", ' : ''));
207+
throw new LogicException(sprintf('Algorithm "argon2id" is not available. Either use "%s", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.', \defined('PASSWORD_ARGON2I') || $hasSodium ? 'argon2i", "auto' : 'auto'));
202208
}
203209

204210
return $this->getHasherConfigFromAlgorithm($config);

‎src/Symfony/Component/PasswordHasher/Tests/Hasher/NativePasswordHasherTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/PasswordHasher/Tests/Hasher/NativePasswordHasherTest.php
+10-2Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,13 +21,13 @@ class NativePasswordHasherTest extends TestCase
2121
{
2222
public function testCostBelowRange()
2323
{
24-
$this->expectException('InvalidArgumentException');
24+
$this->expectException(\InvalidArgumentException::class);
2525
new NativePasswordHasher(null, null, 3);
2626
}
2727

2828
public function testCostAboveRange()
2929
{
30-
$this->expectException('InvalidArgumentException');
30+
$this->expectException(\InvalidArgumentException::class);
3131
new NativePasswordHasher(null, null, 32);
3232
}
3333

@@ -73,6 +73,14 @@ public function testConfiguredAlgorithm()
7373
$this->assertStringStartsWith('$2', $result);
7474
}
7575

76+
public function testDefaultAlgorithm()
77+
{
78+
$hasher = new NativePasswordHasher();
79+
$result = $hasher->hash('password');
80+
$this->assertTrue($hasher->verify($result, 'password'));
81+
$this->assertStringStartsWith('$2', $result);
82+
}
83+
7684
public function testConfiguredAlgorithmWithLegacyConstValue()
7785
{
7886
$hasher = new NativePasswordHasher(null, null, null, '1');

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.