feature #34020 [Security] Allow to stick to a specific password hashing algorithm (chalasr)

nicolas-grekas · nicolas-grekas · commit 9c9e5bb6fd43 · 2019-10-27T13:33:51.000+01:00
This PR was merged into the 4.4 branch.

Discussion
----------

[Security] Allow to stick to a specific password hashing algorithm

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Tickets       | Fix #33054
| License       | MIT
| Doc PR        | todo

Allows using `argon2i`, `argon2id` and `bcrypt`.

Commits
-------

6712d1e504 [Security] Allow to set a fixed algorithm
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ CHANGELOG
  * Marked all dispatched event classes as `@final`
  * Deprecated returning a non-boolean value when implementing `Guard\AuthenticatorInterface::checkCredentials()`.
  * Deprecated passing more than one attribute to `AccessDecisionManager::decide()` and `AuthorizationChecker::isGranted()`
+ * Added new `argon2id` encoder, undeprecated the `bcrypt` and `argon2i` ones (using `auto` is still recommended by default.)
 
 4.3.0
 -----
diff --git a/Core/Encoder/EncoderFactory.php b/Core/Encoder/EncoderFactory.php
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Security\Core\Encoder;
 
+use Symfony\Component\Security\Core\Exception\LogicException;
+
 /**
  * A generic encoder factory implementation.
  *
@@ -114,21 +116,20 @@ private function getEncoderConfigFromAlgorithm(array $config): array
                     ],
                 ];
 
-            /* @deprecated since Symfony 4.3 */
             case 'bcrypt':
-                return [
-                    'class' => BCryptPasswordEncoder::class,
-                    'arguments' => [$config['cost']],
-                ];
+                $config['algorithm'] = 'native';
+                $config['native_algorithm'] = PASSWORD_BCRYPT;
+
+                return $this->getEncoderConfigFromAlgorithm($config);
 
             case 'native':
                 return [
                     'class' => NativePasswordEncoder::class,
                     'arguments' => [
                         $config['time_cost'] ?? null,
                         (($config['memory_cost'] ?? 0) << 10) ?: null,
-                        $config['cost'] ?? null,
-                    ],
+                        $config['cost'] ?? null
+                    ] + (isset($config['native_algorithm']) ? [3 => $config['native_algorithm']] : []),
                 ];
 
             case 'sodium':
@@ -140,16 +141,29 @@ private function getEncoderConfigFromAlgorithm(array $config): array
                     ],
                 ];
 
-            /* @deprecated since Symfony 4.3 */
             case 'argon2i':
-                return [
-                    'class' => Argon2iPasswordEncoder::class,
-                    'arguments' => [
-                        $config['memory_cost'],
-                        $config['time_cost'],
-                        $config['threads'],
-                    ],
-                ];
+                if (SodiumPasswordEncoder::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                    $config['algorithm'] = 'sodium';
+                } elseif (\defined('PASSWORD_ARGON2I')) {
+                    $config['algorithm'] = 'native';
+                    $config['native_algorithm'] = PASSWORD_ARGON2I;
+                } else {
+                    throw new LogicException(sprintf('Algorithm "argon2i" is not available. Either use %s"auto" or upgrade to PHP 7.2+ instead.', \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? '"argon2id", ' : ''));
+                }
+
+                return $this->getEncoderConfigFromAlgorithm($config);
+
+            case 'argon2id':
+                if (($hasSodium = SodiumPasswordEncoder::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                    $config['algorithm'] = 'sodium';
+                } elseif (\defined('PASSWORD_ARGON2ID')) {
+                    $config['algorithm'] = 'native';
+                    $config['native_algorithm'] = PASSWORD_ARGON2ID;
+                } else {
+                    throw new LogicException(sprintf('Algorithm "argon2id" is not available. Either use %s"auto", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.', \defined('PASSWORD_ARGON2I') || $hasSodium ? '"argon2i", ' : ''));
+                }
+
+                return $this->getEncoderConfigFromAlgorithm($config);
         }
 
         return [
diff --git a/Core/Encoder/NativePasswordEncoder.php b/Core/Encoder/NativePasswordEncoder.php
@@ -27,7 +27,10 @@ final class NativePasswordEncoder implements PasswordEncoderInterface, SelfSalti
     private $algo;
     private $options;
 
-    public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null)
+    /**
+     * @param string|null $algo An algorithm supported by password_hash() or null to use the stronger available algorithm
+     */
+    public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null, string $algo = null)
     {
         $cost = $cost ?? 13;
         $opsLimit = $opsLimit ?? max(4, \defined('SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE') ? \SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE : 4);
@@ -45,7 +48,7 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos
             throw new \InvalidArgumentException('$cost must be in the range of 4-31.');
         }
 
-        $this->algo = \defined('PASSWORD_ARGON2I') ? max(PASSWORD_DEFAULT, \defined('PASSWORD_ARGON2ID') ? PASSWORD_ARGON2ID : PASSWORD_ARGON2I) : PASSWORD_DEFAULT;
+        $this->algo = $algo ?? (\defined('PASSWORD_ARGON2I') ? max(PASSWORD_DEFAULT, \defined('PASSWORD_ARGON2ID') ? PASSWORD_ARGON2ID : PASSWORD_ARGON2I) : PASSWORD_DEFAULT);
         $this->options = [
             'cost' => $cost,
             'time_cost' => $opsLimit,
diff --git a/Core/Tests/Encoder/NativePasswordEncoderTest.php b/Core/Tests/Encoder/NativePasswordEncoderTest.php
@@ -55,6 +55,14 @@ public function testValidation()
         $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
     }
 
+    public function testConfiguredAlgorithm()
+    {
+        $encoder = new NativePasswordEncoder(null, null, null, PASSWORD_BCRYPT);
+        $result = $encoder->encodePassword('password', null);
+        $this->assertTrue($encoder->isPasswordValid($result, 'password', null));
+        $this->assertStringStartsWith('$2', $result);
+    }
+
     public function testCheckPasswordLength()
     {
         $encoder = new NativePasswordEncoder(null, null, 4);

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,14 @@ public function testValidation()`
`55`	`55`	`$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));`
`56`	`56`	`}`
`57`	`57`
	`58`	`+ public function testConfiguredAlgorithm()`
	`59`	`+ {`
	`60`	`+ $encoder = new NativePasswordEncoder(null, null, null, PASSWORD_BCRYPT);`
	`61`	`+ $result = $encoder->encodePassword('password', null);`
	`62`	`+ $this->assertTrue($encoder->isPasswordValid($result, 'password', null));`
	`63`	`+ $this->assertStringStartsWith('$2', $result);`
	`64`	`+ }`
	`65`	`+`
`58`	`66`	`public function testCheckPasswordLength()`
`59`	`67`	`{`
`60`	`68`	`$encoder = new NativePasswordEncoder(null, null, 4);`