[Security] Do not mix usage of password_*() functions and sodium_*() ones

Robin Chalas · Robin Chalas · commit 81badab2a6e6 · 2019-01-12T03:20:20.000+01:00
diff --git a/Encoder/Argon2iPasswordEncoder.php b/Encoder/Argon2iPasswordEncoder.php
@@ -60,7 +60,9 @@ public function encodePassword($raw, $salt)
      */
     public function isPasswordValid($encoded, $raw, $salt)
     {
-        if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I')) {
+        // If $encoded was created via "sodium_crypto_pwhash_str()", the hashing algorithm may be "argon2id" instead of "argon2i".
+        // In this case, "password_verify()" cannot be used.
+        if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I') && (false === strpos($encoded, '$argon2id$'))) {
             return !$this->isPasswordTooLong($raw) && password_verify($raw, $encoded);
         }
         if (\function_exists('sodium_crypto_pwhash_str_verify')) {

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,9 @@ public function encodePassword($raw, $salt)`
`60`	`60`	`*/`
`61`	`61`	`public function isPasswordValid($encoded, $raw, $salt)`
`62`	`62`	`{`
`63`		`- if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I')) {`
	`63`	`+ // If $encoded was created via "sodium_crypto_pwhash_str()", the hashing algorithm may be "argon2id" instead of "argon2i".`
	`64`	`+ // In this case, "password_verify()" cannot be used.`
	`65`	`+ if (\PHP_VERSION_ID >= 70200 && \defined('PASSWORD_ARGON2I') && (false === strpos($encoded, '$argon2id$'))) {`
`64`	`66`	`return !$this->isPasswordTooLong($raw) && password_verify($raw, $encoded);`
`65`	`67`	`}`
`66`	`68`	`if (\function_exists('sodium_crypto_pwhash_str_verify')) {`