Added BCrypt password encoder.

elnur · fabpot · commit 9d089ef998bd · 2013-02-05T10:22:32.000+01:00
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -5,6 +5,7 @@ CHANGELOG
 -----
 
 * Added PBKDF2 Password encoder
+* Added BCrypt password encoder
 
 2.1.0
 -----
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -383,6 +383,11 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
                             ->booleanNode('ignore_case')->defaultFalse()->end()
                             ->booleanNode('encode_as_base64')->defaultTrue()->end()
                             ->scalarNode('iterations')->defaultValue(5000)->end()
+                            ->integerNode('cost')
+                                ->min(4)
+                                ->max(31)
+                                ->defaultValue(13)
+                            ->end()
                             ->scalarNode('id')->end()
                         ->end()
                     ->end()
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -13,6 +13,7 @@
 
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface;
+use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\DefinitionDecorator;
 use Symfony\Component\DependencyInjection\Alias;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
@@ -464,6 +465,19 @@ private function createEncoder($config, ContainerBuilder $container)
             );
         }
 
+        // bcrypt encoder
+        if ('bcrypt' === $config['algorithm']) {
+            $arguments = array(
+                new Reference('security.secure_random'),
+                $config['cost'],
+            );
+
+            return array(
+                'class' => new Parameter('security.encoder.bcrypt.class'),
+                'arguments' => $arguments,
+            );
+        }
+
         // message digest encoder
         $arguments = array(
             $config['algorithm'],
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
@@ -13,6 +13,7 @@
         <parameter key="security.encoder.digest.class">Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder</parameter>
         <parameter key="security.encoder.plain.class">Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder</parameter>
         <parameter key="security.encoder.pbkdf2.class">Symfony\Component\Security\Core\Encoder\Pbkdf2PasswordEncoder</parameter>
+        <parameter key="security.encoder.bcrypt.class">Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder</parameter>
 
         <parameter key="security.user.provider.in_memory.class">Symfony\Component\Security\Core\User\InMemoryUserProvider</parameter>
         <parameter key="security.user.provider.in_memory.user.class">Symfony\Component\Security\Core\User\User</parameter>
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php
@@ -22,6 +22,10 @@
             'iterations' => 5,
             'key_length' => 30,
         ),
+        'JMS\FooBundle\Entity\User6' => array(
+            'algorithm' => 'bcrypt',
+            'cost' => 15,
+        ),
     ),
     'providers' => array(
         'default' => array(
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml
@@ -18,6 +18,8 @@
 
         <encoder class="JMS\FooBundle\Entity\User5" algorithm="pbkdf2" hash-algorithm="sha1" encode-as-base64="false" iterations="5" key-length="30" />
 
+        <encoder class="JMS\FooBundle\Entity\User6" algorithm="bcrypt" cost="15" />
+
         <provider name="default">
             <memory>
                 <user name="foo" password="foo" roles="ROLE_USER" />
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1.yml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1.yml
@@ -16,6 +16,9 @@ security:
             encode_as_base64: false
             iterations: 5
             key_length: 30
+        JMS\FooBundle\Entity\User6:
+            algorithm: bcrypt
+            cost: 15
 
     providers:
         default:
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
@@ -158,6 +158,13 @@ public function testEncoders()
                 'class' => new Parameter('security.encoder.pbkdf2.class'),
                 'arguments' => array('sha1', false, 5, 30),
             ),
+            'JMS\FooBundle\Entity\User6' => array(
+                'class' => new Parameter('security.encoder.bcrypt.class'),
+                'arguments' => array(
+                         new Reference('security.secure_random'),
+                         15,
+                )
+            ),
         )), $container->getDefinition('security.encoder_factory.generic')->getArguments());
     }
 
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -9,6 +9,7 @@ CHANGELOG
    implements EventSubscriberInterface
  * added secure random number generator
  * added PBKDF2 Password encoder
+ * added BCrypt password encoder
 
 2.1.0
 -----
diff --git a/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php
@@ -0,0 +1,146 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Encoder;
+
+use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder;
+use Symfony\Component\Security\Core\Util\SecureRandomInterface;
+
+/**
+ * @author Elnur Abdurrakhimov <elnur@elnur.pro>
+ * @author Terje Bråten <terje@braten.be>
+ */
+class BCryptPasswordEncoder extends BasePasswordEncoder
+{
+    /**
+     * @var SecureRandomInterface
+     */
+    private $secureRandom;
+
+    /**
+     * @var string
+     */
+    private $cost;
+
+    private static $prefix = null;
+
+    /**
+     * @param SecureRandomInterface $secureRandom
+     * @param int                   $cost
+     *
+     * @throws \InvalidArgumentException if cost is out of range
+     */
+    public function __construct(SecureRandomInterface $secureRandom, $cost)
+    {
+        $this->secureRandom = $secureRandom;
+
+        $cost = (int) $cost;
+        if ($cost < 4 || $cost > 31) {
+            throw new \InvalidArgumentException('Cost must be in the range of 4-31');
+        }
+        $this->cost = sprintf("%02d", $cost);
+
+        if (!self::$prefix) {
+            self::$prefix = '$'.(version_compare(phpversion(), '5.3.7', '>=')
+                                 ? '2y' : '2a').'$';
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function encodePassword($raw, $salt = null)
+    {
+        if (function_exists('password_hash')) {
+            return password_hash($raw, PASSWORD_BCRYPT, array('cost' => $this->cost));
+        }
+
+        $salt = self::$prefix.$this->cost.'$'.
+            $this->encodeSalt($this->getRawSalt());
+        $encoded = crypt($raw, $salt);
+        if (!is_string($encoded) || strlen($encoded) <= 13) {
+            return false;
+        }
+
+        return $encoded;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isPasswordValid($encoded, $raw, $salt = null)
+    {
+        if (function_exists('password_verify')) {
+            return password_verify($raw, $encoded);
+        }
+
+        $crypted = crypt($raw, $encoded);
+        if (strlen($crypted) <= 13) {
+            return false;
+        }
+
+        return $this->comparePasswords($encoded, $crypted);
+    }
+
+    /**
+     * Correctly encode the salt to be used by Bcrypt.
+     * The blowfish/bcrypt algorithm used by PHP crypt expects a different
+     * set and order of characters than the usual base64_encode function.
+     * Regular b64: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
+     * Bcrypt b64:  ./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
+     * We care because the last character in our encoded string will
+     * only represent 2 bits.  While two known implementations of
+     * bcrypt will happily accept and correct a salt string which
+     * has the 4 unused bits set to non-zero, we do not want to take
+     * chances and we also do not want to waste an additional byte
+     * of entropy.
+     *
+     * @param  bytes  $random a string of 16 random bytes
+     * @return string Properly encoded salt to use with php crypt function
+     *
+     * @throws \InvalidArgumentException if string of random bytes is too short
+     */
+    protected function encodeSalt($random)
+    {
+        $len = strlen($random);
+        if ($len < 16) {
+            throw new \InvalidArgumentException('The bcrypt salt needs 16 random bytes');
+        }
+        if ($len > 16) {
+            $random = substr($random, 0, 16);
+        }
+
+        $base64raw = str_replace('+', '.', base64_encode($random));
+        $salt128bit = substr($base64raw, 0, 21);
+        $lastchar = substr($base64raw, 21, 1);
+        $lastchar = strtr($lastchar, 'AQgw','.Oeu');
+        $salt128bit .= $lastchar;
+
+        return $salt128bit;
+    }
+
+    /**
+     * @return bytes 16 random bytes to be used in the salt
+     */
+    protected function getRawSalt()
+    {
+        $rawSalt = false;
+        $numBytes = 16;
+        if (function_exists('mcrypt_create_iv')) {
+            $rawSalt = mcrypt_create_iv($numBytes, MCRYPT_DEV_URANDOM);
+        }
+        if (!$rawSalt) {
+            $rawSalt = $this->secureRandom->nextBytes($numBytes);
+        }
+
+        return $rawSalt;
+    }
+}
diff --git a/src/Symfony/Component/Security/Tests/Core/Encoder/BCryptPasswordEncoderTest.php b/src/Symfony/Component/Security/Tests/Core/Encoder/BCryptPasswordEncoderTest.php
@@ -0,0 +1,112 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Tests\Core\Encoder;
+
+use Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder;
+
+/**
+ * @author Elnur Abdurrakhimov <elnur@elnur.pro>
+ */
+class BCryptPasswordEncoderTest extends \PHPUnit_Framework_TestCase
+{
+    const PASSWORD = 'password';
+    const BYTES = '0123456789abcdef';
+    const VALID_COST = '04';
+
+    const SECURE_RANDOM_INTERFACE = 'Symfony\Component\Security\Core\Util\SecureRandomInterface';
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    private $secureRandom;
+
+    protected function setUp()
+    {
+        $this->secureRandom = $this->getMock(self::SECURE_RANDOM_INTERFACE);
+
+        $this->secureRandom
+            ->expects($this->any())
+            ->method('nextBytes')
+            ->will($this->returnValue(self::BYTES))
+        ;
+    }
+
+    /**
+     * @expectedException \InvalidArgumentException
+     */
+    public function testCostBelowRange()
+    {
+        new BCryptPasswordEncoder($this->secureRandom, 3);
+    }
+
+    /**
+     * @expectedException \InvalidArgumentException
+     */
+    public function testCostAboveRange()
+    {
+        new BCryptPasswordEncoder($this->secureRandom, 32);
+    }
+
+    public function testCostInRange()
+    {
+        for ($cost = 4; $cost <= 31; $cost++) {
+            new BCryptPasswordEncoder($this->secureRandom, $cost);
+        }
+    }
+
+    public function testResultLength()
+    {
+        $encoder = new BCryptPasswordEncoder($this->secureRandom, self::VALID_COST);
+        $result = $encoder->encodePassword(self::PASSWORD);
+        $this->assertEquals(60, strlen($result));
+    }
+
+    public function testValidation()
+    {
+        $encoder = new BCryptPasswordEncoder($this->secureRandom, self::VALID_COST);
+        $result = $encoder->encodePassword(self::PASSWORD);
+        $this->assertTrue($encoder->isPasswordValid($result, self::PASSWORD));
+        $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword'));
+    }
+
+    public function testValidationKnownPassword()
+    {
+        $encoder = new BCryptPasswordEncoder($this->secureRandom, self::VALID_COST);
+        $prefix = '$'.(version_compare(phpversion(), '5.3.7', '>=')
+                       ? '2y' : '2a').'$';
+
+        $encrypted = $prefix.'04$ABCDEFGHIJKLMNOPQRSTU.uTmwd4KMSHxbUsG7bng8x7YdA0PM1iq';
+        $this->assertTrue($encoder->isPasswordValid($encrypted, self::PASSWORD));
+    }
+
+    public function testSecureRandomIsUsed()
+    {
+        if (function_exists('mcrypt_create_iv')) {
+            return;
+        }
+
+        $this->secureRandom
+            ->expects($this->atLeastOnce())
+            ->method('nextBytes')
+        ;
+
+        $encoder = new BCryptPasswordEncoder($this->secureRandom, self::VALID_COST);
+        $result = $encoder->encodePassword(self::PASSWORD);
+
+        $prefix = '$'.(version_compare(phpversion(), '5.3.7', '>=')
+                       ? '2y' : '2a').'$';
+        $salt = 'MDEyMzQ1Njc4OWFiY2RlZe';
+        $expected = crypt(self::PASSWORD, $prefix . self::VALID_COST . '$' . $salt);
+
+        $this->assertEquals($expected, $result);
+    }
+}
