We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

checkHash returns true for different passwords

Hello there. I have a very strange trouble with Security checkHash function. It returns true for different passwords. Maybe it depends on algo?..

There is a code:

        $service = new Security;

        var_dump($service->getDefaultHash());

        var_dump($service->hash('qwerty1231112asdadfaf!!!'));
        var_dump($service->checkHash('qwerty1231112asdadfaf!!!11', 'bmwxO.XvhuckM'));

Value "bmwxO.XvhuckM" was returned by hash function on first start of this snippet.

Result:

/git/app/index.php:161:null
/git/app/index.php:163:string '$2y$10$VStBNndBVmMzcTBJTWlmOO3S834G97VpMWN58oQ0COBW5VouL1kh.' (length=60)
/git/app/index.php:164:boolean true

Same result with CRYPT_SHA512:

        $service = new Security;
        $service->setDefaultHash(Security::CRYPT_SHA512);

        var_dump($service->getDefaultHash());

        var_dump($service->hash('qwerty1231112asdadfaf!!!'));
        var_dump($service->checkHash('qwerty1231112asdadfaf!!!11', 'bmwxO.XvhuckM'));

Result:

/git/app/index.php:162:int 9
/git/app/index.php:164:string '$6$Y0xLZHZuZWcrSG9s$8c/GXCH.yJCJaf6abjhM33NrgOnANmbC5kQ9y5.VEx3w/bbhAWNgWomTmSm1KUgDHIefhlVADfxUjbPP9tYKJ0' (length=106)
/git/app/index.php:165:boolean true

What's may be wrong? Thanks.


PHP 7.4.3, Phalcon 4.0.5, OpenSSL 1.1.1d 10 Sep 2019



5.0k
Accepted
answer
edited May '20

So finally I found an issue. The key was generated with $service->setDefaultHash(CRYPT_SHA256); this is wrong because global constant CRYPT_SHA256 equals 1. Phalcon's crypto expected it owns constant with same name Security::CRYPT_SHA256 which equals 8.

So in my example I checked hash generated with Security::CRYPT_STD_DES. it seems like an algo collision or something. Function works correctly.