[Security/Core] add fast path when encoded password cannot match anything

nicolas-grekas · nicolas-grekas · commit c57f8f7f933d · 2019-10-27T10:41:22.000+01:00
diff --git a/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php
@@ -22,7 +22,8 @@ class MessageDigestPasswordEncoder extends BasePasswordEncoder
 {
     private $algorithm;
     private $encodeHashAsBase64;
-    private $iterations;
+    private $iterations = 0;
+    private $encodedLength = -1;
 
     /**
      * @param string $algorithm          The digest algorithm to use
@@ -33,6 +34,13 @@ public function __construct(string $algorithm = 'sha512', bool $encodeHashAsBase
     {
         $this->algorithm = $algorithm;
         $this->encodeHashAsBase64 = $encodeHashAsBase64;
+
+        try {
+            $this->encodedLength = \strlen($this->encodePassword('', 'salt'));
+        } catch (\LogicException $e) {
+            // ignore algorithm not supported
+        }
+
         $this->iterations = $iterations;
     }
 
@@ -65,6 +73,10 @@ public function encodePassword($raw, $salt)
      */
     public function isPasswordValid($encoded, $raw, $salt)
     {
+        if (\strlen($encoded) !== $this->encodedLength || false !== strpos($encoded, '$')) {
+            return false;
+        }
+
         return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
     }
 }
diff --git a/src/Symfony/Component/Security/Core/Encoder/Pbkdf2PasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/Pbkdf2PasswordEncoder.php
@@ -32,6 +32,7 @@ class Pbkdf2PasswordEncoder extends BasePasswordEncoder
     private $encodeHashAsBase64;
     private $iterations;
     private $length;
+    private $encodedLength;
 
     /**
      * @param string $algorithm          The digest algorithm to use
@@ -45,6 +46,7 @@ public function __construct(string $algorithm = 'sha512', bool $encodeHashAsBase
         $this->encodeHashAsBase64 = $encodeHashAsBase64;
         $this->iterations = $iterations;
         $this->length = $length;
+        $this->encodedLength = $encodeHashAsBase64 ? intdiv($length + 2, 3) << 2 : ($length << 1);
     }
 
     /**
@@ -72,6 +74,10 @@ public function encodePassword($raw, $salt)
      */
     public function isPasswordValid($encoded, $raw, $salt)
     {
+        if ((0 < $this->length && \strlen($encoded) !== $this->encodedLength) || false !== strpos($encoded, '$')) {
+            return false;
+        }
+
         return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,8 @@ class MessageDigestPasswordEncoder extends BasePasswordEncoder`
`22`	`22`	`{`
`23`	`23`	`private $algorithm;`
`24`	`24`	`private $encodeHashAsBase64;`
`25`		`- private $iterations;`
	`25`	`+ private $iterations = 0;`
	`26`	`+ private $encodedLength = -1;`
`26`	`27`
`27`	`28`	`/**`
`28`	`29`	`* @param string $algorithm The digest algorithm to use`
`@@ -33,6 +34,13 @@ public function __construct(string $algorithm = 'sha512', bool $encodeHashAsBase`
`33`	`34`	`{`
`34`	`35`	`$this->algorithm = $algorithm;`
`35`	`36`	`$this->encodeHashAsBase64 = $encodeHashAsBase64;`
	`37`	`+`
	`38`	`+ try {`
	`39`	`+ $this->encodedLength = \strlen($this->encodePassword('', 'salt'));`
	`40`	`+ } catch (\LogicException $e) {`
	`41`	`+ // ignore algorithm not supported`
	`42`	`+ }`
	`43`	`+`
`36`	`44`	`$this->iterations = $iterations;`
`37`	`45`	`}`
`38`	`46`
`@@ -65,6 +73,10 @@ public function encodePassword($raw, $salt)`
`65`	`73`	`*/`
`66`	`74`	`public function isPasswordValid($encoded, $raw, $salt)`
`67`	`75`	`{`
	`76`	`+ if (\strlen($encoded) !== $this->encodedLength \|\| false !== strpos($encoded, '$')) {`
	`77`	`+ return false;`
	`78`	`+ }`
	`79`	`+`
`68`	`80`	`return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));`
`69`	`81`	`}`
`70`	`82`	`}`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ class Pbkdf2PasswordEncoder extends BasePasswordEncoder`
`32`	`32`	`private $encodeHashAsBase64;`
`33`	`33`	`private $iterations;`
`34`	`34`	`private $length;`
	`35`	`+ private $encodedLength;`
`35`	`36`
`36`	`37`	`/**`
`37`	`38`	`* @param string $algorithm The digest algorithm to use`
`@@ -45,6 +46,7 @@ public function __construct(string $algorithm = 'sha512', bool $encodeHashAsBase`
`45`	`46`	`$this->encodeHashAsBase64 = $encodeHashAsBase64;`
`46`	`47`	`$this->iterations = $iterations;`
`47`	`48`	`$this->length = $length;`
	`49`	`+ $this->encodedLength = $encodeHashAsBase64 ? intdiv($length + 2, 3) << 2 : ($length << 1);`
`48`	`50`	`}`
`49`	`51`
`50`	`52`	`/**`
`@@ -72,6 +74,10 @@ public function encodePassword($raw, $salt)`
`72`	`74`	`*/`
`73`	`75`	`public function isPasswordValid($encoded, $raw, $salt)`
`74`	`76`	`{`
	`77`	`+ if ((0 < $this->length && \strlen($encoded) !== $this->encodedLength) \|\| false !== strpos($encoded, '$')) {`
	`78`	`+ return false;`
	`79`	`+ }`
	`80`	`+`
`75`	`81`	`return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));`
`76`	`82`	`}`
`77`	`83`	`}`