Merge branch '4.4'

* 4.4:
  [OptionsResolve] Revert change in tests for a not-merged change in code
  [HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
  [Workflow] Made the configuration more robust for the 'property' key
  [Security/Core] make NativePasswordEncoder use sodium to validate passwords when possible
  [FrameworkBundle] make SodiumVault report bad decryption key accurately
  cs fix
  [Security] Allow to set a fixed algorithm
  [Security/Core] make encodedLength computation more generic
  [Security/Core] add fast path when encoded password cannot match anything
  #30432 fix an error message
  fix paths to detect code owners
  [HttpClient] ignore the body of responses to HEAD requests
  [Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
  [SecurityBundle] Fix wrong assertion
  Remove unused local variables in tests
  [Yaml][Parser] Remove the getLastLineNumberBeforeDeprecation() internal unused method
  Make sure to collect child forms created on *_SET_DATA events
  [WebProfilerBundle] Improve display in Email panel for dark theme
  do not render errors for checkboxes twice

Author: nicolas-grekas

Encoder/EncoderFactory.php

@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Security\Core\Encoder;
 
+use Symfony\Component\Security\Core\Exception\LogicException;
+
 /**
  * A generic encoder factory implementation.
  *
@@ -114,14 +116,20 @@ private function getEncoderConfigFromAlgorithm(array $config): array
                     ],
                 ];
 
+            case 'bcrypt':
+                $config['algorithm'] = 'native';
+                $config['native_algorithm'] = PASSWORD_BCRYPT;
+
+                return $this->getEncoderConfigFromAlgorithm($config);
+
             case 'native':
                 return [
                     'class' => NativePasswordEncoder::class,
                     'arguments' => [
                         $config['time_cost'] ?? null,
                         (($config['memory_cost'] ?? 0) << 10) ?: null,
                         $config['cost'] ?? null,
-                    ],
+                    ] + (isset($config['native_algorithm']) ? [3 => $config['native_algorithm']] : []),
                 ];
 
             case 'sodium':
@@ -132,6 +140,30 @@ private function getEncoderConfigFromAlgorithm(array $config): array
                         (($config['memory_cost'] ?? 0) << 10) ?: null,
                     ],
                 ];
+
+            case 'argon2i':
+                if (SodiumPasswordEncoder::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                    $config['algorithm'] = 'sodium';
+                } elseif (\defined('PASSWORD_ARGON2I')) {
+                    $config['algorithm'] = 'native';
+                    $config['native_algorithm'] = PASSWORD_ARGON2I;
+                } else {
+                    throw new LogicException(sprintf('Algorithm "argon2i" is not available. Either use %s"auto" or upgrade to PHP 7.2+ instead.', \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? '"argon2id", ' : ''));
+                }
+
+                return $this->getEncoderConfigFromAlgorithm($config);
+
+            case 'argon2id':
+                if (($hasSodium = SodiumPasswordEncoder::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                    $config['algorithm'] = 'sodium';
+                } elseif (\defined('PASSWORD_ARGON2ID')) {
+                    $config['algorithm'] = 'native';
+                    $config['native_algorithm'] = PASSWORD_ARGON2ID;
+                } else {
+                    throw new LogicException(sprintf('Algorithm "argon2id" is not available. Either use %s"auto", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.', \defined('PASSWORD_ARGON2I') || $hasSodium ? '"argon2i", ' : ''));
+                }
+
+                return $this->getEncoderConfigFromAlgorithm($config);
         }
 
         return [

Encoder/MessageDigestPasswordEncoder.php

@@ -22,7 +22,8 @@ class MessageDigestPasswordEncoder extends BasePasswordEncoder
 {
     private $algorithm;
     private $encodeHashAsBase64;
-    private $iterations;
+    private $iterations = 1;
+    private $encodedLength = -1;
 
     /**
      * @param string $algorithm          The digest algorithm to use
@@ -33,6 +34,13 @@ public function __construct(string $algorithm = 'sha512', bool $encodeHashAsBase
     {
         $this->algorithm = $algorithm;
         $this->encodeHashAsBase64 = $encodeHashAsBase64;
+
+        try {
+            $this->encodedLength = \strlen($this->encodePassword('', 'salt'));
+        } catch (\LogicException $e) {
+            // ignore algorithm not supported
+        }
+
         $this->iterations = $iterations;
     }
 
@@ -65,6 +73,10 @@ public function encodePassword(string $raw, ?string $salt)
      */
     public function isPasswordValid(string $encoded, string $raw, ?string $salt)
     {
+        if (\strlen($encoded) !== $this->encodedLength || false !== strpos($encoded, '$')) {
+            return false;
+        }
+
         return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
     }
 }

Encoder/NativePasswordEncoder.php

@@ -27,7 +27,10 @@ final class NativePasswordEncoder implements PasswordEncoderInterface, SelfSalti
     private $algo;
     private $options;
 
-    public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null)
+    /**
+     * @param string|null $algo An algorithm supported by password_hash() or null to use the stronger available algorithm
+     */
+    public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null, string $algo = null)
     {
         $cost = $cost ?? 13;
         $opsLimit = $opsLimit ?? max(4, \defined('SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE') ? \SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE : 4);
@@ -45,7 +48,7 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos
             throw new \InvalidArgumentException('$cost must be in the range of 4-31.');
         }
 
-        $this->algo = \defined('PASSWORD_ARGON2I') ? max(PASSWORD_DEFAULT, \defined('PASSWORD_ARGON2ID') ? PASSWORD_ARGON2ID : PASSWORD_ARGON2I) : PASSWORD_DEFAULT;
+        $this->algo = (string) ($algo ?? \defined('PASSWORD_ARGON2ID') ? PASSWORD_ARGON2ID : (\defined('PASSWORD_ARGON2I') ? PASSWORD_ARGON2I : PASSWORD_BCRYPT));
         $this->options = [
             'cost' => $cost,
             'time_cost' => $opsLimit,
@@ -59,33 +62,38 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos
      */
     public function encodePassword(string $raw, ?string $salt): string
     {
-        if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
+        if (\strlen($raw) > self::MAX_PASSWORD_LENGTH || ((string) PASSWORD_BCRYPT === $this->algo && 72 < \strlen($raw))) {
             throw new BadCredentialsException('Invalid password.');
         }
 
         // Ignore $salt, the auto-generated one is always the best
 
-        $encoded = password_hash($raw, $this->algo, $this->options);
-
-        if (72 < \strlen($raw) && 0 === strpos($encoded, '$2')) {
-            // BCrypt encodes only the first 72 chars
-            throw new BadCredentialsException('Invalid password.');
-        }
-
-        return $encoded;
+        return password_hash($raw, $this->algo, $this->options);
     }
 
     /**
      * {@inheritdoc}
      */
     public function isPasswordValid(string $encoded, string $raw, ?string $salt): bool
     {
-        if (72 < \strlen($raw) && 0 === strpos($encoded, '$2')) {
-            // BCrypt encodes only the first 72 chars
+        if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
             return false;
         }
 
-        return \strlen($raw) <= self::MAX_PASSWORD_LENGTH && password_verify($raw, $encoded);
+        if (0 === strpos($encoded, '$2')) {
+            // BCrypt encodes only the first 72 chars
+            return 72 >= \strlen($raw) && password_verify($raw, $encoded);
+        }
+
+        if (\extension_loaded('sodium') && version_compare(\SODIUM_LIBRARY_VERSION, '1.0.14', '>=')) {
+            return sodium_crypto_pwhash_str_verify($encoded, $raw);
+        }
+
+        if (\extension_loaded('libsodium') && version_compare(phpversion('libsodium'), '1.0.14', '>=')) {
+            return \Sodium\crypto_pwhash_str_verify($encoded, $raw);
+        }
+
+        return password_verify($raw, $encoded);
     }
 
     /**

Encoder/Pbkdf2PasswordEncoder.php

@@ -30,8 +30,9 @@ class Pbkdf2PasswordEncoder extends BasePasswordEncoder
 {
     private $algorithm;
     private $encodeHashAsBase64;
-    private $iterations;
+    private $iterations = 1;
     private $length;
+    private $encodedLength = -1;
 
     /**
      * @param string $algorithm          The digest algorithm to use
@@ -43,8 +44,15 @@ public function __construct(string $algorithm = 'sha512', bool $encodeHashAsBase
     {
         $this->algorithm = $algorithm;
         $this->encodeHashAsBase64 = $encodeHashAsBase64;
-        $this->iterations = $iterations;
         $this->length = $length;
+
+        try {
+            $this->encodedLength = \strlen($this->encodePassword('', 'salt'));
+        } catch (\LogicException $e) {
+            // ignore algorithm not supported
+        }
+
+        $this->iterations = $iterations;
     }
 
     /**
@@ -72,6 +80,10 @@ public function encodePassword(string $raw, ?string $salt)
      */
     public function isPasswordValid(string $encoded, string $raw, ?string $salt)
     {
+        if (\strlen($encoded) !== $this->encodedLength || false !== strpos($encoded, '$')) {
+            return false;
+        }
+
         return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
     }
 }

Encoder/SodiumPasswordEncoder.php

@@ -93,7 +93,7 @@ public function isPasswordValid(string $encoded, string $raw, ?string $salt): bo
             return \Sodium\crypto_pwhash_str_verify($encoded, $raw);
         }
 
-        throw new LogicException('Libsodium is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.');
+        return false;
     }
 
     /**

Tests/Encoder/EncoderFactoryTest.php

@@ -117,7 +117,7 @@ public function testGetInvalidNamedEncoderForEncoderAware()
 
         $user = new EncAwareUser('user', 'pass');
         $user->encoderName = 'invalid_encoder_name';
-        $encoder = $factory->getEncoder($user);
+        $factory->getEncoder($user);
     }
 
     public function testGetEncoderForEncoderAwareWithClassName()

Tests/Encoder/NativePasswordEncoderTest.php

@@ -55,6 +55,14 @@ public function testValidation()
         $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
     }
 
+    public function testConfiguredAlgorithm()
+    {
+        $encoder = new NativePasswordEncoder(null, null, null, PASSWORD_BCRYPT);
+        $result = $encoder->encodePassword('password', null);
+        $this->assertTrue($encoder->isPasswordValid($result, 'password', null));
+        $this->assertStringStartsWith('$2', $result);
+    }
+
     public function testCheckPasswordLength()
     {
         $encoder = new NativePasswordEncoder(null, null, 4);