Extend Argon2i support check to account for sodium_compat #25412
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nicolas-grekas
approved these changes
Dec 10, 2017
| return true; | ||
| } | ||
|
|
||
| if (\class_exists('\\ParagonIE_Sodium_Compat') && \method_exists('\\ParagonIE_Sodium_Compat', 'crypto_pwhash_is_available')) { |
There was a problem hiding this comment.
you can remove the \\ in the strings
chalasr
approved these changes
Dec 10, 2017
|
Thanks for fixing this bug @mbabker. |
chalasr
pushed a commit
that referenced
this pull request
Dec 10, 2017
…(mbabker) This PR was merged into the 3.4 branch. Discussion ---------- Extend Argon2i support check to account for sodium_compat | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | N/A | License | MIT | Doc PR | N/A In the Argon2i password encoder, if in an environment where `sodium_compat` is installed without either natively running PHP 7.2 or the (lib)sodium extension, the `isSupported` check can return true because the library exposes the `sodium_crypto_pwhash_str()` function however a pure PHP implementation of the method is not implemented, so the library does not actually support the hashes. paragonie/sodium_compat#55 requested a way to check support through the polyfill to avoid this condition and the 1.4 release added it. This PR extends the encoder's `isSupported` check to be aware of the `sodium_compat` library and use its support check if able to avoid misreporting that `sodium_crypto_pwhash_str()` is available for use when it isn't. Commits ------- 95c1fc8 Extend Argon2i support check to account for sodium_compat
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the Argon2i password encoder, if in an environment where
sodium_compatis installed without either natively running PHP 7.2 or the (lib)sodium extension, theisSupportedcheck can return true because the library exposes thesodium_crypto_pwhash_str()function however a pure PHP implementation of the method is not implemented, so the library does not actually support the hashes.paragonie/sodium_compat#55 requested a way to check support through the polyfill to avoid this condition and the 1.4 release added it. This PR extends the encoder's
isSupportedcheck to be aware of thesodium_compatlibrary and use its support check if able to avoid misreporting thatsodium_crypto_pwhash_str()is available for use when it isn't.