From f8428e07513e5373d53d4681023ad36c6830744d Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <thijs@kinkhorst.com>
Date: Mon, 11 Jan 2021 14:13:41 +0000
Subject: [PATCH] Do not allow the password hash to be used for authentication.

(cherry picked from commit acbbef7628a8c03ec5ca6cc2fad279247a2f4060)
---
 lib/SimpleSAML/Utils/Crypto.php           |  4 ++++
 tests/lib/SimpleSAML/Utils/CryptoTest.php | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php
index 59c6cd2fa..681c7a8a1 100644
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -429,6 +429,10 @@ class Crypto
             throw new \InvalidArgumentException('Invalid input parameters.');
         }
 
+        if (!is_null(password_get_info($password)['algo'])) {
+            throw new Error\Exception("Cannot use a hash value for authentication.");
+        }
+
         if (password_verify($password, $hash)) {
             return true;
         }
diff --git a/tests/lib/SimpleSAML/Utils/CryptoTest.php b/tests/lib/SimpleSAML/Utils/CryptoTest.php
index 697bbadbf..90ac6b062 100644
--- a/tests/lib/SimpleSAML/Utils/CryptoTest.php
+++ b/tests/lib/SimpleSAML/Utils/CryptoTest.php
@@ -237,6 +237,18 @@ PHP;
         $this->assertFalse($res);
     }
 
+    /**
+     * Check that hash cannot be used to authenticate ith.
+     */
+    public function testHashAsPwInvalid(): void
+    {
+        $pw = "password";
+
+        $hash = Crypto::pwHash($pw);
+        $this->expectException(Error\Exception::class);
+        $res = Crypto::pwValid($hash, $hash);
+    }
+
 
     /**
      * @covers \SimpleSAML\Utils\Crypto::pwValid
-- 
GitLab