symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
+1-1Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
+1-1Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/UserPasswordEncoderCommandTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Tests/Functional/UserPasswordEncoderCommandTest.php
+4-4Lines changed: 4 additions & 4 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/UserPasswordEncoderCommandTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Tests/Functional/UserPasswordEncoderCommandTest.php
+4-4Lines changed: 4 additions & 4 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Encoder/Argon2iPasswordEncoder.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Encoder/Argon2iPasswordEncoder.php
+7-7Lines changed: 7 additions & 7 deletions b/‎src/Symfony/Component/Security/Core/Encoder/Argon2iPasswordEncoder.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Encoder/Argon2iPasswordEncoder.php
+7-7Lines changed: 7 additions & 7 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Encoder/Argon2idPasswordEncoder.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Encoder/Argon2idPasswordEncoder.php
+12-9Lines changed: 12 additions & 9 deletions b/‎src/Symfony/Component/Security/Core/Encoder/Argon2idPasswordEncoder.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Encoder/Argon2idPasswordEncoder.php
+12-9Lines changed: 12 additions & 9 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Tests/Encoder/Argon2iPasswordEncoderTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Encoder/Argon2iPasswordEncoderTest.php
+36-5Lines changed: 36 additions & 5 deletions b/‎src/Symfony/Component/Security/Core/Tests/Encoder/Argon2iPasswordEncoderTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Encoder/Argon2iPasswordEncoderTest.php
+36-5Lines changed: 36 additions & 5 deletions
@@ -571,7 +571,7 @@ private function createEncoder($config, ContainerBuilder $container)
                 }
 
                 throw new InvalidConfigurationException('Argon2i algorithm is not supported. Install the libsodium extension or use BCrypt instead.');
-            } elseif (\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+            } elseif (!\defined('PASSWORD_ARGON2I') && Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
                 @trigger_error('Configuring an encoder based on the "argon2i" algorithm while only "argon2id" is supported is deprecated since Symfony 4.3, use "argon2id" instead.', E_USER_DEPRECATED);
             }
 
 
@@ -73,7 +73,7 @@ public function testEncodePasswordBcrypt()
 
     public function testEncodePasswordArgon2i()
     {
-        if (!Argon2iPasswordEncoder::isSupported() || \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+        if (!Argon2iPasswordEncoder::isSupported() || !\defined('PASSWORD_ARGON2I') && Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
             $this->markTestSkipped('Argon2i algorithm not available.');
         }
         $this->setupArgon2i();
@@ -95,7 +95,7 @@ public function testEncodePasswordArgon2i()
     public function testEncodePasswordArgon2id()
     {
         if (!Argon2idPasswordEncoder::isSupported()) {
-            $this->markTestSkipped('Argon2i algorithm not available.');
+            $this->markTestSkipped('Argon2id algorithm not available.');
         }
         $this->setupArgon2id();
         $this->passwordEncoderCommandTester->execute([
@@ -107,7 +107,7 @@ public function testEncodePasswordArgon2id()
         $output = $this->passwordEncoderCommandTester->getDisplay();
         $this->assertContains('Password encoding succeeded', $output);
 
-        $encoder = new Argon2iPasswordEncoder();
+        $encoder = new Argon2idPasswordEncoder();
         preg_match('#  Encoded password\s+(\$argon2id?\$[\w,=\$+\/]+={0,2})\s+#', $output, $matches);
         $hash = $matches[1];
         $this->assertTrue($encoder->isPasswordValid($hash, 'password', null));
@@ -175,7 +175,7 @@ public function testEncodePasswordBcryptOutput()
 
     public function testEncodePasswordArgon2iOutput()
     {
-        if (!Argon2iPasswordEncoder::isSupported() || \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+        if (!Argon2iPasswordEncoder::isSupported() || !\defined('PASSWORD_ARGON2I') && Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
             $this->markTestSkipped('Argon2id algorithm not available.');
         }
 
 
@@ -48,11 +48,11 @@ public function encodePassword($raw, $salt)
         if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I')) {
             return $this->encodePasswordNative($raw, \PASSWORD_ARGON2I);
         } elseif (\function_exists('sodium_crypto_pwhash_str')) {
-            if (0 === strpos($hash = $this->encodePasswordSodiumFunction($raw), Argon2idPasswordEncoder::HASH_PREFIX)) {
+            if (Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
                 @trigger_error(sprintf('Using "%s" while only the "argon2id" algorithm is supported is deprecated since Symfony 4.3, use "%s" instead.', __CLASS__, Argon2idPasswordEncoder::class), E_USER_DEPRECATED);
             }
 
-            return $hash;
+            return $this->encodePasswordSodiumFunction($raw);
         }
         if (\extension_loaded('libsodium')) {
             return $this->encodePasswordSodiumExtension($raw);
@@ -70,12 +70,12 @@ public function isPasswordValid($encoded, $raw, $salt)
             return false;
         }
 
-        if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I')) {
-            // If $encoded was created via "sodium_crypto_pwhash_str()", the hashing algorithm may be "argon2id" instead of "argon2i"
-            if ($isArgon2id = (0 === strpos($encoded, Argon2idPasswordEncoder::HASH_PREFIX))) {
-                @trigger_error(sprintf('Calling "%s()" with a password hashed using argon2id is deprecated since Symfony 4.3, use "%s" instead.', __METHOD__, Argon2idPasswordEncoder::class), E_USER_DEPRECATED);
-            }
+        // If $encoded was created via "sodium_crypto_pwhash_str()", the hashing algorithm may be "argon2id" instead of "argon2i"
+        if ($isArgon2id = (0 === strpos($encoded, Argon2idPasswordEncoder::HASH_PREFIX))) {
+            @trigger_error(sprintf('Calling "%s()" with a password hashed using argon2id is deprecated since Symfony 4.3, use "%s" instead.', __METHOD__, Argon2idPasswordEncoder::class), E_USER_DEPRECATED);
+        }
 
+        if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I')) {
             // Remove the right part of the OR in 5.0
             if (\defined('PASSWORD_ARGON2I') || $isArgon2id && \defined('PASSWORD_ARGON2ID')) {
                 return password_verify($raw, $encoded);
 
@@ -46,18 +46,11 @@ public function encodePassword($raw, $salt)
         if (\defined('PASSWORD_ARGON2ID')) {
             return $this->encodePasswordNative($raw, \PASSWORD_ARGON2ID);
         }
-        if (!\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+        if (!self::isDefaultSodiumAlgorithm()) {
             throw new LogicException('Algorithm "argon2id" is not supported. Please install the libsodium extension or upgrade to PHP 7.3+.');
         }
 
-        $hash = \sodium_crypto_pwhash_str(
-            $raw,
-            \SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
-            \SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
-        );
-        \sodium_memzero($raw);
-
-        return $hash;
+        return $this->encodePasswordSodiumFunction($raw);
     }
 
     /**
@@ -82,4 +75,14 @@ public function isPasswordValid($encoded, $raw, $salt)
 
         throw new LogicException('Algorithm "argon2id" is not supported. Please install the libsodium extension or upgrade to PHP 7.3+.');
     }
+
+    /**
+     * @internal
+     */
+    public static function isDefaultSodiumAlgorithm()
+    {
+        return \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')
+            && \defined('SODIUM_CRYPTO_PWHASH_ALG_DEFAULT')
+            && \SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13 === \SODIUM_CRYPTO_PWHASH_ALG_DEFAULT;
+    }
 }
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Core\Tests\Encoder;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Encoder\Argon2idPasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
 
 /**
@@ -21,15 +22,12 @@ class Argon2iPasswordEncoderTest extends TestCase
 {
     const PASSWORD = 'password';
 
-    protected function setUp()
+    public function testValidationWithConfig()
     {
-        if (!Argon2iPasswordEncoder::isSupported() || \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+        if (!Argon2iPasswordEncoder::isSupported() || Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
             $this->markTestSkipped('Argon2i algorithm is not supported.');
         }
-    }
 
-    public function testValidationWithConfig()
-    {
         $encoder = new Argon2iPasswordEncoder(8, 4, 1);
         $result = $encoder->encodePassword(self::PASSWORD, null);
         $this->assertTrue($encoder->isPasswordValid($result, self::PASSWORD, null));
@@ -38,6 +36,10 @@ public function testValidationWithConfig()
 
     public function testValidation()
     {
+        if (!Argon2iPasswordEncoder::isSupported() || Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
+            $this->markTestSkipped('Argon2i algorithm is not supported.');
+        }
+
         $encoder = new Argon2iPasswordEncoder();
         $result = $encoder->encodePassword(self::PASSWORD, null);
         $this->assertTrue($encoder->isPasswordValid($result, self::PASSWORD, null));
@@ -49,12 +51,20 @@ public function testValidation()
      */
     public function testEncodePasswordLength()
     {
+        if (!Argon2iPasswordEncoder::isSupported() || Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
+            $this->markTestSkipped('Argon2i algorithm is not supported.');
+        }
+
         $encoder = new Argon2iPasswordEncoder();
         $encoder->encodePassword(str_repeat('a', 4097), 'salt');
     }
 
     public function testCheckPasswordLength()
     {
+        if (!Argon2iPasswordEncoder::isSupported() || Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
+            $this->markTestSkipped('Argon2i algorithm is not supported.');
+        }
+
         $encoder = new Argon2iPasswordEncoder();
         $result = $encoder->encodePassword(str_repeat('a', 4096), null);
         $this->assertFalse($encoder->isPasswordValid($result, str_repeat('a', 4097), null));
@@ -63,8 +73,29 @@ public function testCheckPasswordLength()
 
     public function testUserProvidedSaltIsNotUsed()
     {
+        if (!Argon2iPasswordEncoder::isSupported() || Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
+            $this->markTestSkipped('Argon2i algorithm is not supported.');
+        }
+
         $encoder = new Argon2iPasswordEncoder();
         $result = $encoder->encodePassword(self::PASSWORD, 'salt');
         $this->assertTrue($encoder->isPasswordValid($result, self::PASSWORD, 'anotherSalt'));
     }
+
+    /**
+     * @group legacy
+     * @exectedDeprecation Using "Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder" while only the "argon2id" algorithm is supported is deprecated since Symfony 4.3, use "Symfony\Component\Security\Core\Encoder\Argon2idPasswordEncoder" instead.
+     * @exectedDeprecation Calling "Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder::isPasswordValid()" with a password hashed using argon2id is deprecated since Symfony 4.3, use "Symfony\Component\Security\Core\Encoder\Argon2idPasswordEncoder" instead.
+     */
+    public function testEncodeWithArgon2idSupportOnly()
+    {
+        if (!Argon2iPasswordEncoder::isSupported() || !Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
+            $this->markTestSkipped('Argon2id algorithm not available.');
+        }
+
+        $encoder = new Argon2iPasswordEncoder();
+        $result = $encoder->encodePassword(self::PASSWORD, null);
+        $this->assertTrue($encoder->isPasswordValid($result, self::PASSWORD, null));
+        $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
+    }
 }
Original file line number	Diff line number	Diff line change
`@@ -571,7 +571,7 @@ private function createEncoder($config, ContainerBuilder $container)`
`571`	`571`	`}`
`572`	`572`
`573`	`573`	`throw new InvalidConfigurationException('Argon2i algorithm is not supported. Install the libsodium extension or use BCrypt instead.');`
`574`		`- } elseif (\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {`
	`574`	`+ } elseif (!\defined('PASSWORD_ARGON2I') && Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {`
`575`	`575`	`@trigger_error('Configuring an encoder based on the "argon2i" algorithm while only "argon2id" is supported is deprecated since Symfony 4.3, use "argon2id" instead.', E_USER_DEPRECATED);`
`576`	`576`	`}`
`577`	`577`
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ public function testEncodePasswordBcrypt()`
`73`	`73`
`74`	`74`	`public function testEncodePasswordArgon2i()`
`75`	`75`	`{`
`76`		`- if (!Argon2iPasswordEncoder::isSupported() \|\| \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {`
	`76`	`+ if (!Argon2iPasswordEncoder::isSupported() \|\| !\defined('PASSWORD_ARGON2I') && Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {`
`77`	`77`	`$this->markTestSkipped('Argon2i algorithm not available.');`
`78`	`78`	`}`
`79`	`79`	`$this->setupArgon2i();`
`@@ -95,7 +95,7 @@ public function testEncodePasswordArgon2i()`
`95`	`95`	`public function testEncodePasswordArgon2id()`
`96`	`96`	`{`
`97`	`97`	`if (!Argon2idPasswordEncoder::isSupported()) {`
`98`		`- $this->markTestSkipped('Argon2i algorithm not available.');`
	`98`	`+ $this->markTestSkipped('Argon2id algorithm not available.');`
`99`	`99`	`}`
`100`	`100`	`$this->setupArgon2id();`
`101`	`101`	`$this->passwordEncoderCommandTester->execute([`
`@@ -107,7 +107,7 @@ public function testEncodePasswordArgon2id()`
`107`	`107`	`$output = $this->passwordEncoderCommandTester->getDisplay();`
`108`	`108`	`$this->assertContains('Password encoding succeeded', $output);`
`109`	`109`
`110`		`- $encoder = new Argon2iPasswordEncoder();`
	`110`	`+ $encoder = new Argon2idPasswordEncoder();`
`111`	`111`	`preg_match('# Encoded password\s+(\$argon2id?\$[\w,=\$+\/]+={0,2})\s+#', $output, $matches);`
`112`	`112`	`$hash = $matches[1];`
`113`	`113`	`$this->assertTrue($encoder->isPasswordValid($hash, 'password', null));`
`@@ -175,7 +175,7 @@ public function testEncodePasswordBcryptOutput()`
`175`	`175`
`176`	`176`	`public function testEncodePasswordArgon2iOutput()`
`177`	`177`	`{`
`178`		`- if (!Argon2iPasswordEncoder::isSupported() \|\| \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {`
	`178`	`+ if (!Argon2iPasswordEncoder::isSupported() \|\| !\defined('PASSWORD_ARGON2I') && Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {`
`179`	`179`	`$this->markTestSkipped('Argon2id algorithm not available.');`
`180`	`180`	`}`
`181`	`181`