From acbbef7628a8c03ec5ca6cc2fad279247a2f4060 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <thijs@kinkhorst.com>
Date: Mon, 11 Jan 2021 14:13:41 +0000
Subject: [PATCH] Do not allow the password hash to be used for authentication.

---
 lib/SimpleSAML/Utils/Crypto.php           |  3 +++
 tests/lib/SimpleSAML/Utils/CryptoTest.php | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php
index 79d7f8149..efd2aba43 100644
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -356,6 +356,9 @@ class Crypto
      */
     public static function pwValid(string $hash, string $password): bool
     {
+        if (!is_null(password_get_info($password)['algo'])) {
+            throw new Error\Exception("Cannot use a hash value for authentication.");
+        }
         if (password_verify($password, $hash)) {
             return true;
         }
diff --git a/tests/lib/SimpleSAML/Utils/CryptoTest.php b/tests/lib/SimpleSAML/Utils/CryptoTest.php
index 1dd32661b..044eacbda 100644
--- a/tests/lib/SimpleSAML/Utils/CryptoTest.php
+++ b/tests/lib/SimpleSAML/Utils/CryptoTest.php
@@ -165,6 +165,18 @@ PHP;
         $this->assertFalse($res);
     }
 
+    /**
+     * Check that hash cannot be used to authenticate ith.
+     */
+    public function testHashAsPwInvalid(): void
+    {
+        $pw = "password";
+
+        $hash = Crypto::pwHash($pw);
+        $this->expectException(Error\Exception::class);
+        $res = Crypto::pwValid($hash, $hash);
+    }
+
 
     /**
      */
-- 
GitLab