We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

checkHash returns true for different passwords

Hello there. I have a very strange trouble with Security checkHash function. It returns true for different passwords. Maybe it depends on algo?..

There is a code:

        $service = new Security;

        var_dump($service->getDefaultHash());

        var_dump($service->hash('qwerty1231112asdadfaf!!!'));
        var_dump($service->checkHash('qwerty1231112asdadfaf!!!11', 'bmwxO.XvhuckM'));

Value "bmwxO.XvhuckM" was returned by hash function on first start of this snippet.

Result:

/git/app/index.php:161:null
/git/app/index.php:163:string '$2y$10$VStBNndBVmMzcTBJTWlmOO3S834G97VpMWN58oQ0COBW5VouL1kh.' (length=60)
/git/app/index.php:164:boolean true

Same result with CRYPT_SHA512:

        $service = new Security;
        $service->setDefaultHash(Security::CRYPT_SHA512);

        var_dump($service->getDefaultHash());

        var_dump($service->hash('qwerty1231112asdadfaf!!!'));
        var_dump($service->checkHash('qwerty1231112asdadfaf!!!11', 'bmwxO.XvhuckM'));

Result:

/git/app/index.php:162:int 9
/git/app/index.php:164:string '$6$Y0xLZHZuZWcrSG9s$8c/GXCH.yJCJaf6abjhM33NrgOnANmbC5kQ9y5.VEx3w/bbhAWNgWomTmSm1KUgDHIefhlVADfxUjbPP9tYKJ0' (length=106)
/git/app/index.php:165:boolean true

What's may be wrong? Thanks.


PHP 7.4.3, Phalcon 4.0.5, OpenSSL 1.1.1d 10 Sep 2019



5.0k
Accepted
answer
edited May '20

So finally I found an issue. The key was generated with $service->setDefaultHash(CRYPT_SHA256); this is wrong because global constant CRYPT_SHA256 equals 1. Phalcon's crypto expected it owns constant with same name Security::CRYPT_SHA256 which equals 8.

So in my example I checked hash generated with Security::CRYPT_STD_DES. it seems like an algo collision or something. Function works correctly.