[Security] Allow to use a specific password hashing algorithm

chalasr · chalasr · commit d18baac421bc · 2019-10-18T10:07:55.000+02:00
diff --git a/UPGRADE-4.3.md b/UPGRADE-4.3.md
@@ -209,11 +209,6 @@ Security
  * Not implementing the methods `__serialize` and `__unserialize` in classes implementing
    the `TokenInterface` is deprecated
 
-SecurityBundle
---------------
-
- * Configuring encoders using `argon2i` or `bcrypt` as algorithm has been deprecated, use `auto` instead.
-
 TwigBridge
 ----------
 
diff --git a/UPGRADE-5.0.md b/UPGRADE-5.0.md
@@ -537,7 +537,6 @@ SecurityBundle
    changed to underscores.
    Before: `my-cookie` deleted the `my_cookie` cookie (with an underscore).
    After: `my-cookie` deletes the `my-cookie` cookie (with a dash).
- * Configuring encoders using `argon2i` or `bcrypt` as algorithm is not supported anymore, use `auto` instead.
 
 Serializer
 ----------
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -28,7 +28,6 @@
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
-use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -538,32 +537,72 @@ private function createEncoder(array $config)
 
         // bcrypt encoder
         if ('bcrypt' === $config['algorithm']) {
-            @trigger_error('Configuring an encoder with "bcrypt" as algorithm is deprecated since Symfony 4.3, use "auto" instead.', E_USER_DEPRECATED);
-
             return [
-                'class' => 'Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder',
-                'arguments' => [$config['cost'] ?? 13],
+                'class' => NativePasswordEncoder::class,
+                'arguments' => [
+                    $config['time_cost'] ?? null,
+                    (($config['memory_cost'] ?? 0) << 10) ?: null,
+                    $config['cost'] ?? null,
+                    \PASSWORD_BCRYPT,
+                ],
             ];
         }
 
         // Argon2i encoder
         if ('argon2i' === $config['algorithm']) {
-            @trigger_error('Configuring an encoder with "argon2i" as algorithm is deprecated since Symfony 4.3, use "auto" instead.', E_USER_DEPRECATED);
+            if (SodiumPasswordEncoder::isSupported() && !($hasSodiumArgon2id = \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13'))) {
+                return [
+                    'class' => SodiumPasswordEncoder::class,
+                    'arguments' => [
+                        $config['time_cost'] ?? null,
+                        (($config['memory_cost'] ?? 0) << 10) ?: null,
+                    ],
+                ];
+            }
 
-            if (!Argon2iPasswordEncoder::isSupported()) {
-                if (\extension_loaded('sodium') && !\defined('SODIUM_CRYPTO_PWHASH_SALTBYTES')) {
-                    throw new InvalidConfigurationException('The installed libsodium version does not have support for Argon2i. Use "auto" instead.');
+            if (!\defined('PASSWORD_ARGON2I')) {
+                if ($hasSodiumArgon2id ?? false) {
+                    throw new InvalidConfigurationException('Algorithm "argon2i" is not available. You should either use "argon2id", downgrade your sodium extension or use a different encoder.');
                 }
+                throw new InvalidConfigurationException('Algorithm "argon2i" is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.');
+            }
 
-                throw new InvalidConfigurationException('Argon2i algorithm is not supported. Install the libsodium extension or use "auto" instead.');
+            return [
+                'class' => NativePasswordEncoder::class,
+                'arguments' => [
+                    $config['time_cost'] ?? null,
+                    (($config['memory_cost'] ?? 0) << 10) ?: null,
+                    $config['cost'] ?? null,
+                    \PASSWORD_ARGON2I,
+                ],
+            ];
+        }
+
+        if ('argon2id' === $config['algorithm']) {
+            if (($hasSodium = SodiumPasswordEncoder::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                return [
+                    'class' => SodiumPasswordEncoder::class,
+                    'arguments' => [
+                        $config['time_cost'] ?? null,
+                        (($config['memory_cost'] ?? 0) << 10) ?: null,
+                    ],
+                ];
+            }
+
+            if (!\defined('PASSWORD_ARGON2ID')) {
+                if (\defined('PASSWORD_ARGON2I')) {
+                    throw new InvalidConfigurationException(sprintf('Algorithm "argon2id" is not available. You can either use "argon2i", upgrade to PHP 7.3+, %s sodium extension or use a different encoder.', $hasSodium ? 'upgrade your' : 'install the'));
+                }
+                throw new InvalidConfigurationException(sprintf('Algorithm "argon2id" is not available. You should either %s sodium extension, upgrade to PHP 7.3+ or use a different encoder.', $hasSodium ? 'upgrade your' : 'install the'));
             }
 
             return [
-                'class' => 'Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder',
+                'class' => NativePasswordEncoder::class,
                 'arguments' => [
-                    $config['memory_cost'],
-                    $config['time_cost'],
-                    $config['threads'],
+                    $config['time_cost'] ?? null,
+                    (($config['memory_cost'] ?? 0) << 10) ?: null,
+                    $config['cost'] ?? null,
+                    \PASSWORD_ARGON2ID,
                 ],
             ];
         }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -18,7 +18,7 @@
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
-use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
+use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
 
 abstract class CompleteConfigurationTest extends TestCase
@@ -377,14 +377,9 @@ public function testEncodersWithLibsodium()
         ]], $container->getDefinition('security.encoder_factory.generic')->getArguments());
     }
 
-    /**
-     * @group legacy
-     *
-     * @expectedDeprecation Configuring an encoder with "argon2i" as algorithm is deprecated since Symfony 4.3, use "auto" instead.
-     */
     public function testEncodersWithArgon2i()
     {
-        if (!Argon2iPasswordEncoder::isSupported()) {
+        if (!($sodium = (SodiumPasswordEncoder::isSupported()) && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) && !\defined('PASSWORD_ARGON2I')) {
             $this->markTestSkipped('Argon2i algorithm is not supported.');
         }
 
@@ -429,15 +424,12 @@ public function testEncodersWithArgon2i()
                 'arguments' => [8, 102400, 15],
             ],
             'JMS\FooBundle\Entity\User7' => [
-                'class' => 'Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder',
-                'arguments' => [256, 1, 2],
+                'class' => $sodium ? SodiumPasswordEncoder::class : NativePasswordEncoder::class,
+                'arguments' => $sodium ? [256, 1] : [1, 262144, null, \PASSWORD_ARGON2I],
             ],
         ]], $container->getDefinition('security.encoder_factory.generic')->getArguments());
     }
 
-    /**
-     * @group legacy
-     */
     public function testEncodersWithBCrypt()
     {
         $container = $this->getContainer('bcrypt_encoder');
@@ -481,8 +473,8 @@ public function testEncodersWithBCrypt()
                 'arguments' => [8, 102400, 15],
             ],
             'JMS\FooBundle\Entity\User7' => [
-                'class' => 'Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder',
-                'arguments' => [15],
+                'class' => NativePasswordEncoder::class,
+                'arguments' => [null, null, 15, \PASSWORD_BCRYPT],
             ],
         ]], $container->getDefinition('security.encoder_factory.generic')->getArguments());
     }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/argon2i_encoder.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/argon2i_encoder.php
@@ -8,7 +8,6 @@
             'algorithm' => 'argon2i',
             'memory_cost' => 256,
             'time_cost' => 1,
-            'threads' => 2,
         ],
     ],
 ]);
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/argon2i_encoder.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/argon2i_encoder.xml
@@ -10,7 +10,7 @@
     </imports>
 
     <sec:config>
-        <sec:encoder class="JMS\FooBundle\Entity\User7" algorithm="argon2i" memory_cost="256" time_cost="1" threads="2" />
+        <sec:encoder class="JMS\FooBundle\Entity\User7" algorithm="argon2i" memory_cost="256" time_cost="1" />
     </sec:config>
 
 </container>
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/argon2i_encoder.yml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/argon2i_encoder.yml
@@ -7,4 +7,3 @@ security:
             algorithm: argon2i
             memory_cost: 256
             time_cost: 1
-            threads: 2
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/UserPasswordEncoderCommandTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/UserPasswordEncoderCommandTest.php
@@ -15,8 +15,6 @@
 use Symfony\Bundle\SecurityBundle\Command\UserPasswordEncoderCommand;
 use Symfony\Component\Console\Application as ConsoleApplication;
 use Symfony\Component\Console\Tester\CommandTester;
-use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
-use Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\Pbkdf2PasswordEncoder;
@@ -55,9 +53,6 @@ public function testEncodeNoPasswordNoInteraction()
         $this->assertEquals($statusCode, 1);
     }
 
-    /**
-     * @group legacy
-     */
     public function testEncodePasswordBcrypt()
     {
         $this->setupBcrypt();
@@ -70,18 +65,15 @@ public function testEncodePasswordBcrypt()
         $output = $this->passwordEncoderCommandTester->getDisplay();
         $this->assertStringContainsString('Password encoding succeeded', $output);
 
-        $encoder = new BCryptPasswordEncoder(17);
+        $encoder = new NativePasswordEncoder(null, null, 17, \PASSWORD_BCRYPT);
         preg_match('# Encoded password\s{1,}([\w+\/$.]+={0,2})\s+#', $output, $matches);
         $hash = $matches[1];
         $this->assertTrue($encoder->isPasswordValid($hash, 'password', null));
     }
 
-    /**
-     * @group legacy
-     */
     public function testEncodePasswordArgon2i()
     {
-        if (!Argon2iPasswordEncoder::isSupported()) {
+        if (!($sodium = (SodiumPasswordEncoder::isSupported()) && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) && !\defined('PASSWORD_ARGON2I')) {
             $this->markTestSkipped('Argon2i algorithm not available.');
         }
         $this->setupArgon2i();
@@ -94,8 +86,8 @@ public function testEncodePasswordArgon2i()
         $output = $this->passwordEncoderCommandTester->getDisplay();
         $this->assertStringContainsString('Password encoding succeeded', $output);
 
-        $encoder = new Argon2iPasswordEncoder();
-        preg_match('#  Encoded password\s+(\$argon2id?\$[\w,=\$+\/]+={0,2})\s+#', $output, $matches);
+        $encoder = $sodium ? new SodiumPasswordEncoder() : new NativePasswordEncoder(null, null, null, \PASSWORD_ARGON2I);
+        preg_match('#  Encoded password\s+(\$argon2i?\$[\w,=\$+\/]+={0,2})\s+#', $output, $matches);
         $hash = $matches[1];
         $this->assertTrue($encoder->isPasswordValid($hash, 'password', null));
     }
@@ -195,12 +187,9 @@ public function testEncodePasswordNativeOutput()
         $this->assertStringNotContainsString(' Generated salt ', $this->passwordEncoderCommandTester->getDisplay());
     }
 
-    /**
-     * @group legacy
-     */
     public function testEncodePasswordArgon2iOutput()
     {
-        if (!Argon2iPasswordEncoder::isSupported()) {
+        if (!($sodium = (SodiumPasswordEncoder::isSupported()) && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) && !\defined('PASSWORD_ARGON2I')) {
             $this->markTestSkipped('Argon2i algorithm not available.');
         }
 
diff --git a/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php b/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Security\Core\Encoder;
 
+use Symfony\Component\Security\Core\Exception\LogicException;
+
 /**
  * A generic encoder factory implementation.
  *
@@ -114,11 +116,15 @@ private function getEncoderConfigFromAlgorithm(array $config): array
                     ],
                 ];
 
-            /* @deprecated since Symfony 4.3 */
             case 'bcrypt':
                 return [
-                    'class' => BCryptPasswordEncoder::class,
-                    'arguments' => [$config['cost']],
+                    'class' => NativePasswordEncoder::class,
+                    'arguments' => [
+                        $config['time_cost'] ?? null,
+                        (($config['memory_cost'] ?? 0) << 10) ?: null,
+                        $config['cost'] ?? null,
+                        \PASSWORD_BCRYPT,
+                    ],
                 ];
 
             case 'native':
@@ -140,14 +146,52 @@ private function getEncoderConfigFromAlgorithm(array $config): array
                     ],
                 ];
 
-            /* @deprecated since Symfony 4.3 */
             case 'argon2i':
+                if (SodiumPasswordEncoder::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                    return [
+                        'class' => SodiumPasswordEncoder::class,
+                        'arguments' => [
+                            $config['time_cost'] ?? null,
+                            (($config['memory_cost'] ?? 0) << 10) ?: null,
+                        ],
+                    ];
+                }
+
+                if (!\defined('PASSWORD_ARGON2I')) {
+                    throw new LogicException('Algorithm "argon2i" is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.');
+                }
+
                 return [
-                    'class' => Argon2iPasswordEncoder::class,
+                    'class' => NativePasswordEncoder::class,
                     'arguments' => [
-                        $config['memory_cost'],
-                        $config['time_cost'],
-                        $config['threads'],
+                        $config['time_cost'] ?? null,
+                        (($config['memory_cost'] ?? 0) << 10) ?: null,
+                        $config['cost'] ?? null,
+                        \PASSWORD_ARGON2I,
+                    ],
+                ];
+            case 'argon2id':
+                if (($hasSodium = SodiumPasswordEncoder::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                    return [
+                        'class' => SodiumPasswordEncoder::class,
+                        'arguments' => [
+                            $config['time_cost'] ?? null,
+                            (($config['memory_cost'] ?? 0) << 10) ?: null,
+                        ],
+                    ];
+                }
+
+                if (!\defined('PASSWORD_ARGON2ID')) {
+                    throw new LogicException(sprintf('Algorithm "argon2id" is not available. You should either %s sodium extension, upgrade to PHP 7.3+ or use a different encoder.', $hasSodium ? 'upgrade your' : 'install the'));
+                }
+
+                return [
+                    'class' => NativePasswordEncoder::class,
+                    'arguments' => [
+                        $config['time_cost'] ?? null,
+                        (($config['memory_cost'] ?? 0) << 10) ?: null,
+                        $config['cost'] ?? null,
+                        \PASSWORD_ARGON2ID,
                     ],
                 ];
         }
diff --git a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
@@ -27,7 +27,7 @@ final class NativePasswordEncoder implements PasswordEncoderInterface, SelfSalti
     private $algo;
     private $options;
 
-    public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null)
+    public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null, int $algo = null)
     {
         $cost = $cost ?? 13;
         $opsLimit = $opsLimit ?? max(4, \defined('SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE') ? \SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE : 4);
@@ -45,7 +45,7 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos
             throw new \InvalidArgumentException('$cost must be in the range of 4-31.');
         }
 
-        $this->algo = \defined('PASSWORD_ARGON2I') ? max(PASSWORD_DEFAULT, \defined('PASSWORD_ARGON2ID') ? PASSWORD_ARGON2ID : PASSWORD_ARGON2I) : PASSWORD_DEFAULT;
+        $this->algo = $algo ?? (\defined('PASSWORD_ARGON2I') ? max(PASSWORD_DEFAULT, \defined('PASSWORD_ARGON2ID') ? PASSWORD_ARGON2ID : PASSWORD_ARGON2I) : PASSWORD_DEFAULT);
         $this->options = [
             'cost' => $cost,
             'time_cost' => $opsLimit,
diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php
@@ -55,6 +55,14 @@ public function testValidation()
         $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
     }
 
+    public function testConfiguredAlgorithm()
+    {
+        $encoder = new NativePasswordEncoder(null, null, null, \PASSWORD_BCRYPT);
+        $result = $encoder->encodePassword('password', null);
+        $this->assertTrue($encoder->isPasswordValid($result, 'password', null));
+        $this->assertStringStartsWith('$2', $result);
+    }
+
     public function testCheckPasswordLength()
     {
         $encoder = new NativePasswordEncoder(null, null, 4);
