feature #40176 [PasswordHasher] Use bcrypt as default hash algorithm for "native" and "auto" (chalasr)

chalasr · chalasr · commit 702a3ee82f87 · 2021-02-14T15:05:49.000+01:00
This PR was merged into the 5.3-dev branch. Discussion ---------- [PasswordHasher] Use bcrypt as default hash algorithm for "native" and "auto" | Q | A | ------------- | --- | Branch? | 5.x | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - As suggested in #39802 (comment), based on https://twitter.com/TerahashCorp/status/1155129705034653698 Commits ------- 332817a Use bcrypt as default password hash algorithm for "native" and "auto"
diff --git a/src/Symfony/Component/PasswordHasher/CHANGELOG.md b/src/Symfony/Component/PasswordHasher/CHANGELOG.md
@@ -2,3 +2,4 @@
 ---
 
  * Add the component
+ * Use `bcrypt` as default algorithm in `NativePasswordHasher`
diff --git a/src/Symfony/Component/PasswordHasher/Hasher/NativePasswordHasher.php b/src/Symfony/Component/PasswordHasher/Hasher/NativePasswordHasher.php
@@ -29,7 +29,7 @@ final class NativePasswordHasher implements PasswordHasherInterface
     private $options;
 
     /**
-     * @param string|null $algo An algorithm supported by password_hash() or null to use the stronger available algorithm
+     * @param string|null $algo An algorithm supported by password_hash() or null to use the best available algorithm
      */
     public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null, ?string $algo = null)
     {
@@ -52,11 +52,11 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos
         $algos = [1 => \PASSWORD_BCRYPT, '2y' => \PASSWORD_BCRYPT];
 
         if (\defined('PASSWORD_ARGON2I')) {
-            $this->algo = $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;
+            $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;
         }
 
         if (\defined('PASSWORD_ARGON2ID')) {
-            $this->algo = $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;
+            $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;
         }
 
         if (null !== $algo) {
diff --git a/src/Symfony/Component/PasswordHasher/Hasher/PasswordHasherFactory.php b/src/Symfony/Component/PasswordHasher/Hasher/PasswordHasherFactory.php
@@ -11,9 +11,9 @@
 
 namespace Symfony\Component\PasswordHasher\Hasher;
 
-use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
 use Symfony\Component\PasswordHasher\Exception\LogicException;
 use Symfony\Component\PasswordHasher\PasswordHasherInterface;
+use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
 
 /**
  * A generic hasher factory implementation.
@@ -103,9 +103,15 @@ private function createHasher(array $config, bool $isExtra = false): PasswordHas
     private function getHasherConfigFromAlgorithm(array $config): array
     {
         if ('auto' === $config['algorithm']) {
-            $hasherChain = [];
             // "plaintext" is not listed as any leaked hashes could then be used to authenticate directly
-            foreach ([SodiumPasswordHasher::isSupported() ? 'sodium' : 'native', 'pbkdf2', $config['hash_algorithm']] as $algo) {
+            if (SodiumPasswordHasher::isSupported()) {
+                $algos = ['native', 'sodium', 'pbkdf2', $config['hash_algorithm']];
+            } else {
+                $algos = ['native', 'pbkdf2', $config['hash_algorithm']];
+            }
+
+            $hasherChain = [];
+            foreach ($algos as $algo) {
                 $config['algorithm'] = $algo;
                 $hasherChain[] = $this->createHasher($config, true);
             }
@@ -186,7 +192,7 @@ private function getHasherConfigFromAlgorithm(array $config): array
                     $config['algorithm'] = 'native';
                     $config['native_algorithm'] = \PASSWORD_ARGON2I;
                 } else {
-                    throw new LogicException(sprintf('Algorithm "argon2i" is not available. Either use %s"auto" or upgrade to PHP 7.2+ instead.', \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? '"argon2id", ' : ''));
+                    throw new LogicException(sprintf('Algorithm "argon2i" is not available. Use "%s" instead.', \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? 'argon2id" or "auto' : 'auto'));
                 }
 
                 return $this->getHasherConfigFromAlgorithm($config);
@@ -198,7 +204,7 @@ private function getHasherConfigFromAlgorithm(array $config): array
                     $config['algorithm'] = 'native';
                     $config['native_algorithm'] = \PASSWORD_ARGON2ID;
                 } else {
-                    throw new LogicException(sprintf('Algorithm "argon2id" is not available. Either use %s"auto", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.', \defined('PASSWORD_ARGON2I') || $hasSodium ? '"argon2i", ' : ''));
+                    throw new LogicException(sprintf('Algorithm "argon2id" is not available. Either use "%s", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.', \defined('PASSWORD_ARGON2I') || $hasSodium ? 'argon2i", "auto' : 'auto'));
                 }
 
                 return $this->getHasherConfigFromAlgorithm($config);
diff --git a/src/Symfony/Component/PasswordHasher/Tests/Hasher/NativePasswordHasherTest.php b/src/Symfony/Component/PasswordHasher/Tests/Hasher/NativePasswordHasherTest.php
@@ -21,13 +21,13 @@ class NativePasswordHasherTest extends TestCase
 {
     public function testCostBelowRange()
     {
-        $this->expectException('InvalidArgumentException');
+        $this->expectException(\InvalidArgumentException::class);
         new NativePasswordHasher(null, null, 3);
     }
 
     public function testCostAboveRange()
     {
-        $this->expectException('InvalidArgumentException');
+        $this->expectException(\InvalidArgumentException::class);
         new NativePasswordHasher(null, null, 32);
     }
 
@@ -73,6 +73,14 @@ public function testConfiguredAlgorithm()
         $this->assertStringStartsWith('$2', $result);
     }
 
+    public function testDefaultAlgorithm()
+    {
+        $hasher = new NativePasswordHasher();
+        $result = $hasher->hash('password');
+        $this->assertTrue($hasher->verify($result, 'password'));
+        $this->assertStringStartsWith('$2', $result);
+    }
+
     public function testConfiguredAlgorithmWithLegacyConstValue()
     {
         $hasher = new NativePasswordHasher(null, null, null, '1');

Original file line number	Diff line number	Diff line change
`@@ -2,3 +2,4 @@`
`2`	`2`	`---`
`3`	`3`
`4`	`4`	`* Add the component`
	`5`	+ * Use `bcrypt` as default algorithm in `NativePasswordHasher`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ final class NativePasswordHasher implements PasswordHasherInterface`
`29`	`29`	`private $options;`
`30`	`30`
`31`	`31`	`/**`
`32`		`- * @param string\|null $algo An algorithm supported by password_hash() or null to use the stronger available algorithm`
	`32`	`+ * @param string\|null $algo An algorithm supported by password_hash() or null to use the best available algorithm`
`33`	`33`	`*/`
`34`	`34`	`public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null, ?string $algo = null)`
`35`	`35`	`{`
`@@ -52,11 +52,11 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos`
`52`	`52`	`$algos = [1 => \PASSWORD_BCRYPT, '2y' => \PASSWORD_BCRYPT];`
`53`	`53`
`54`	`54`	`if (\defined('PASSWORD_ARGON2I')) {`
`55`		`- $this->algo = $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;`
	`55`	`+ $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`if (\defined('PASSWORD_ARGON2ID')) {`
`59`		`- $this->algo = $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;`
	`59`	`+ $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`if (null !== $algo) {`
Original file line number	Diff line number	Diff line change
`@@ -21,13 +21,13 @@ class NativePasswordHasherTest extends TestCase`
`21`	`21`	`{`
`22`	`22`	`public function testCostBelowRange()`
`23`	`23`	`{`
`24`		`- $this->expectException('InvalidArgumentException');`
	`24`	`+ $this->expectException(\InvalidArgumentException::class);`
`25`	`25`	`new NativePasswordHasher(null, null, 3);`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`public function testCostAboveRange()`
`29`	`29`	`{`
`30`		`- $this->expectException('InvalidArgumentException');`
	`30`	`+ $this->expectException(\InvalidArgumentException::class);`
`31`	`31`	`new NativePasswordHasher(null, null, 32);`
`32`	`32`	`}`
`33`	`33`
`@@ -73,6 +73,14 @@ public function testConfiguredAlgorithm()`
`73`	`73`	`$this->assertStringStartsWith('$2', $result);`
`74`	`74`	`}`
`75`	`75`
	`76`	`+ public function testDefaultAlgorithm()`
	`77`	`+ {`
	`78`	`+ $hasher = new NativePasswordHasher();`
	`79`	`+ $result = $hasher->hash('password');`
	`80`	`+ $this->assertTrue($hasher->verify($result, 'password'));`
	`81`	`+ $this->assertStringStartsWith('$2', $result);`
	`82`	`+ }`
	`83`	`+`
`76`	`84`	`public function testConfiguredAlgorithmWithLegacyConstValue()`
`77`	`85`	`{`
`78`	`86`	`$hasher = new NativePasswordHasher(null, null, null, '1');`