bug #31763 [Security\Core] Make SodiumPasswordEncoder validate BCrypt-ed passwords (nicolas-grekas)

Robin Chalas · Robin Chalas · commit 1318d3bf5160 · 2019-05-31T11:33:06.000+02:00
This PR was merged into the 4.3 branch. Discussion ---------- [Security\Core] Make SodiumPasswordEncoder validate BCrypt-ed passwords | Q | A | ------------- | --- | Branch? | 4.3 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #31758 | License | MIT | Doc PR | - Otherwise, the promise of the "auto" mode doesn't work. Commits ------- c0fc456 [Security\Core] Make SodiumPasswordEncoder validate BCrypt-ed passwords
diff --git a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
@@ -84,6 +84,11 @@ public function isPasswordValid($encoded, $raw, $salt)
             return false;
         }
 
+        if (72 >= \strlen($raw) && 0 === strpos($encoded, '$2')) {
+            // Accept validating BCrypt passwords for seamless migrations
+            return password_verify($raw, $encoded);
+        }
+
         if (\function_exists('sodium_crypto_pwhash_str_verify')) {
             return \sodium_crypto_pwhash_str_verify($encoded, $raw);
         }
diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php
@@ -31,6 +31,12 @@ public function testValidation()
         $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
     }
 
+    public function testBCryptValidation()
+    {
+        $encoder = new SodiumPasswordEncoder();
+        $this->assertTrue($encoder->isPasswordValid('$2y$04$M8GDODMoGQLQRpkYCdoJh.lbiZPee3SZI32RcYK49XYTolDGwoRMm', 'abc', null));
+    }
+
     /**
      * @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
      */

Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,11 @@ public function isPasswordValid($encoded, $raw, $salt)`
`84`	`84`	`return false;`
`85`	`85`	`}`
`86`	`86`
	`87`	`+ if (72 >= \strlen($raw) && 0 === strpos($encoded, '$2')) {`
	`88`	`+ // Accept validating BCrypt passwords for seamless migrations`
	`89`	`+ return password_verify($raw, $encoded);`
	`90`	`+ }`
	`91`	`+`
`87`	`92`	`if (\function_exists('sodium_crypto_pwhash_str_verify')) {`
`88`	`93`	`return \sodium_crypto_pwhash_str_verify($encoded, $raw);`
`89`	`94`	`}`