Skip to content
Snippets Groups Projects
Commit f8428e07 authored by Thijs Kinkhorst's avatar Thijs Kinkhorst
Browse files

Do not allow the password hash to be used for authentication. 

(cherry picked from commit acbbef76)
parent 6a927d6f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
lib/SimpleSAML/Utils/Crypto.php
+ 4
0
View file @ f8428e07
...@@ -429,6 +429,10 @@ class Crypto ...@@ -429,6 +429,10 @@ class Crypto
throw new \InvalidArgumentException('Invalid input parameters.'); throw new \InvalidArgumentException('Invalid input parameters.');
} }
if (!is_null(password_get_info($password)['algo'])) {
throw new Error\Exception("Cannot use a hash value for authentication.");
}
if (password_verify($password, $hash)) { if (password_verify($password, $hash)) {
return true; return true;
} }
......
tests/lib/SimpleSAML/Utils/CryptoTest.php
+ 12
0
View file @ f8428e07
...@@ -237,6 +237,18 @@ PHP; ...@@ -237,6 +237,18 @@ PHP;
$this->assertFalse($res); $this->assertFalse($res);
} }
/**
* Check that hash cannot be used to authenticate ith.
*/
public function testHashAsPwInvalid(): void
{
$pw = "password";
$hash = Crypto::pwHash($pw);
$this->expectException(Error\Exception::class);
$res = Crypto::pwValid($hash, $hash);
}
/** /**
* @covers \SimpleSAML\Utils\Crypto::pwValid * @covers \SimpleSAML\Utils\Crypto::pwValid
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment