Use bcrypt as default password hash algorithm for "native" and "auto"

chalasr · chalasr · commit 20bc2c20befb · 2021-02-14T13:11:39.000+01:00
diff --git a/src/Symfony/Component/PasswordHasher/CHANGELOG.md b/src/Symfony/Component/PasswordHasher/CHANGELOG.md
@@ -2,3 +2,4 @@
 ---
 
  * Add the component
+ * Use `bcrypt` as default algorithm in `NativePasswordHasher`
diff --git a/src/Symfony/Component/PasswordHasher/Hasher/NativePasswordHasher.php b/src/Symfony/Component/PasswordHasher/Hasher/NativePasswordHasher.php
@@ -29,7 +29,7 @@ final class NativePasswordHasher implements PasswordHasherInterface
     private $options;
 
     /**
-     * @param string|null $algo An algorithm supported by password_hash() or null to use the stronger available algorithm
+     * @param string|null $algo An algorithm supported by password_hash() or null to use the best available algorithm
      */
     public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null, ?string $algo = null)
     {
@@ -52,15 +52,18 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos
         $algos = [1 => \PASSWORD_BCRYPT, '2y' => \PASSWORD_BCRYPT];
 
         if (\defined('PASSWORD_ARGON2I')) {
-            $this->algo = $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;
+            $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;
         }
 
         if (\defined('PASSWORD_ARGON2ID')) {
-            $this->algo = $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;
+            $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;
         }
 
         if (null !== $algo) {
             $this->algo = $algos[$algo] ?? $algo;
+        } else {
+            // use bcrypt as default
+            $this->algo = $algos[1];
         }
 
         $this->options = [
diff --git a/src/Symfony/Component/PasswordHasher/Hasher/PasswordHasherFactory.php b/src/Symfony/Component/PasswordHasher/Hasher/PasswordHasherFactory.php
@@ -11,9 +11,9 @@
 
 namespace Symfony\Component\PasswordHasher\Hasher;
 
-use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
 use Symfony\Component\PasswordHasher\Exception\LogicException;
 use Symfony\Component\PasswordHasher\PasswordHasherInterface;
+use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
 
 /**
  * A generic hasher factory implementation.
@@ -103,9 +103,15 @@ private function createHasher(array $config, bool $isExtra = false): PasswordHas
     private function getHasherConfigFromAlgorithm(array $config): array
     {
         if ('auto' === $config['algorithm']) {
-            $hasherChain = [];
             // "plaintext" is not listed as any leaked hashes could then be used to authenticate directly
-            foreach ([SodiumPasswordHasher::isSupported() ? 'sodium' : 'native', 'pbkdf2', $config['hash_algorithm']] as $algo) {
+            if (SodiumPasswordHasher::isSupported()) {
+                $algos = ['native', 'sodium', 'pbkdf2', $config['hash_algorithm']];
+            } else {
+                $algos = ['native', 'pbkdf2', $config['hash_algorithm']];
+            }
+
+            $hasherChain = [];
+            foreach ($algos as $algo) {
                 $config['algorithm'] = $algo;
                 $hasherChain[] = $this->createHasher($config, true);
             }
diff --git a/src/Symfony/Component/PasswordHasher/Tests/Hasher/NativePasswordHasherTest.php b/src/Symfony/Component/PasswordHasher/Tests/Hasher/NativePasswordHasherTest.php
@@ -73,6 +73,14 @@ public function testConfiguredAlgorithm()
         $this->assertStringStartsWith('$2', $result);
     }
 
+    public function testDefaultAlgorithm()
+    {
+        $hasher = new NativePasswordHasher(null, null, null, \PASSWORD_BCRYPT);
+        $result = $hasher->hash('password', null);
+        $this->assertTrue($hasher->verify($result, 'password', null));
+        $this->assertStringStartsWith('$2', $result);
+    }
+
     public function testConfiguredAlgorithmWithLegacyConstValue()
     {
         $hasher = new NativePasswordHasher(null, null, null, '1');

Original file line number	Diff line number	Diff line change
`@@ -2,3 +2,4 @@`
`2`	`2`	`---`
`3`	`3`
`4`	`4`	`* Add the component`
	`5`	+ * Use `bcrypt` as default algorithm in `NativePasswordHasher`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ final class NativePasswordHasher implements PasswordHasherInterface`
`29`	`29`	`private $options;`
`30`	`30`
`31`	`31`	`/**`
`32`		`- * @param string\|null $algo An algorithm supported by password_hash() or null to use the stronger available algorithm`
	`32`	`+ * @param string\|null $algo An algorithm supported by password_hash() or null to use the best available algorithm`
`33`	`33`	`*/`
`34`	`34`	`public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null, ?string $algo = null)`
`35`	`35`	`{`
`@@ -52,15 +52,18 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos`
`52`	`52`	`$algos = [1 => \PASSWORD_BCRYPT, '2y' => \PASSWORD_BCRYPT];`
`53`	`53`
`54`	`54`	`if (\defined('PASSWORD_ARGON2I')) {`
`55`		`- $this->algo = $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;`
	`55`	`+ $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`if (\defined('PASSWORD_ARGON2ID')) {`
`59`		`- $this->algo = $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;`
	`59`	`+ $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`if (null !== $algo) {`
`63`	`63`	`$this->algo = $algos[$algo] ?? $algo;`
	`64`	`+ } else {`
	`65`	`+ // use bcrypt as default`
	`66`	`+ $this->algo = $algos[1];`
`64`	`67`	`}`
`65`	`68`
`66`	`69`	`$this->options = [`
Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,14 @@ public function testConfiguredAlgorithm()`
`73`	`73`	`$this->assertStringStartsWith('$2', $result);`
`74`	`74`	`}`
`75`	`75`
	`76`	`+ public function testDefaultAlgorithm()`
	`77`	`+ {`
	`78`	`+ $hasher = new NativePasswordHasher(null, null, null, \PASSWORD_BCRYPT);`
	`79`	`+ $result = $hasher->hash('password', null);`
	`80`	`+ $this->assertTrue($hasher->verify($result, 'password', null));`
	`81`	`+ $this->assertStringStartsWith('$2', $result);`
	`82`	`+ }`
	`83`	`+`
`76`	`84`	`public function testConfiguredAlgorithmWithLegacyConstValue()`
`77`	`85`	`{`
`78`	`86`	`$hasher = new NativePasswordHasher(null, null, null, '1');`