Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security::checkHash returns true when using with a non-bcrypt hash #1912

Closed
iby opened this issue Jan 26, 2014 · 5 comments
Closed

Security::checkHash returns true when using with a non-bcrypt hash #1912

iby opened this issue Jan 26, 2014 · 5 comments

Comments

@iby
Copy link
Contributor

iby commented Jan 26, 2014 

$di->setShared('security', function () {
    $security = new Security();
    $security->setWorkFactor(12);
    return $security;
});


echo DI::getDefault()->get('security')->checkHash('not jelly beans', 'cb7d86ece76c57eac5ed18420ca67ea0'); // true;

That's so not true… 😰 Though, when using actual incorrect bcrypt hashes it works fine.
@phalcon
Copy link
Collaborator

phalcon commented Jan 26, 2014

We're not implementing our own bcrypt, we're using php's bcrypt: https://github.com/phalcon/cphalcon/blob/master/ext/security.c#L281

@iby
Copy link
Contributor Author

iby commented Jan 26, 2014

I saw that, nevertheless the output is different. I guess something goes wrong in this if security.c#L291?

$crypt1    = crypt('jelly beans', '$2a$12$pB5pV4BxwyF6NEhXZvUuReH3W9q8r6O4vev3zowUbLcR.olErmouy');
// $2a$12$pB5pV4BxwyF6NEhXZvUuReH3W9q8r6O4vev3zowUbLcR.olErmouy
// Hashes match.

$crypt2    = crypt('jelly beans', 'cb7d86ece76c57eac5ed18420ca67ea0');
// cbDA8obfHjP5g
// Here they don't…

@iby
Copy link
Contributor Author

iby commented Jan 26, 2014

Am I guessing or do we compare string lengths here:

if (Z_STRLEN_P(hash) == Z_STRLEN_PP(password_hash)) {

But if they are not equal in length first place then this:

RETURN_BOOL(check == 0);

Will always be true. Hence the result.

phalcon pushed a commit that referenced this issue Jan 26, 2014
Merge pull request #1914 from sjinks/issue-1912
5350f1b 
[1.3.0] Fix #1912
phalcon pushed a commit that referenced this issue Jan 26, 2014
Merge pull request #1915 from sjinks/1.2.6
056d073 
[1.2.6] Fix #1912
@phalcon phalcon mentioned this issue Jan 26, 2014
Closed
@phalcon
Copy link
Collaborator

phalcon commented Jan 26, 2014

Fixed in 1.2.6 and 1.3.0

@phalcon phalcon closed this as completed Jan 26, 2014
@chinlung
Copy link

In 1.2.6, When checkHash first param is empty, it's always true...
ex:
$this->security->checkHash("", $user->passwd)

@mryellow mryellow mentioned this issue Jul 7, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chinlung @niden @iby