Do not allow the password hash to be used for authentication.

acbbef76 · Thijs Kinkhorst · 8ed53848 · acbbef76 · acbbef76
Commit acbbef76 authored 4 years ago by Thijs Kinkhorst
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -356,6 +356,9 @@ class Crypto
     */
    public static function pwValid(string $hash, string $password): bool
    {
+        if (!is_null(password_get_info($password)['algo'])) {
+            throw new Error\Exception("Cannot use a hash value for authentication.");
+        }
        if (password_verify($password, $hash)) {
            return true;
        }

--- a/tests/lib/SimpleSAML/Utils/CryptoTest.php
+++ b/tests/lib/SimpleSAML/Utils/CryptoTest.php
@@ -165,6 +165,18 @@ PHP;
        $this->assertFalse($res);
    }

+    /**
+     * Check that hash cannot be used to authenticate ith.
+     */
+    public function testHashAsPwInvalid(): void
+    {
+        $pw = "password";
+
+        $hash = Crypto::pwHash($pw);
+        $this->expectException(Error\Exception::class);
+        $res = Crypto::pwValid($hash, $hash);
+    }
+

    /**
     */