问题
I am using Zend\Crypt\Password\Bcrypt for storing passwords encrypted in the database. But now I looked a bit closer and I don't seem to understand the verify method of this class:
/**
* Verify if a password is correct against a hash value
*
* @param string $password
* @param string $hash
* @throws Exception\RuntimeException when the hash is unable to be processed
* @return bool
*/
public function verify($password, $hash)
{
$result = crypt($password, $hash);
return Utils::compareStrings($hash, $result);
}
Functionality according to the comment "Verify if a password is correct against a hash value"
But when I check the php crypt function it is calling the second argument is an optional $salt and not a $hash string to verify.
How I am reading this: it first uses the passed $hash as salt to encrypt the $password that we want to check and then it compares the same $hash it used as salt with the encrypted $result !?
So what am I missing here? Either the php-doc is not correct or I am not understanding what is happening or I missed something in the documents.
回答1:
Bcrypt hash has well documented structure, for example this hash:
$2y$10$aPk2mEEIkGonq6/JGr0OKOhYOdgomu61ARBjDLgb0UmHM4L8f7Hxe
String $2y$ is prefix, 10 is cost, aPk2mEEIkGonq6/JGr0OKO is salt (128-bit, base64 encoded 22 characters) and hYOdgomu61ARBjDLgb0UmHM4L8f7Hxe is resulting hash.
crypt function recognizes this format and use appropriate part of it as a salt, so there is no problem to pass whole hash as second parameter.
来源:https://stackoverflow.com/questions/32717509/zend-crypt-password-bcrypt-verify-method