Hash::check not applying options before verifying Algorithm

[GeNyaa]

Laravel Version

12.x, 11.x

PHP Version

8.2, 8.1

Database Driver & Version

No response

Description

When using;

Hash::check(
    'password',
    'hash',
    [
        'verify' => false,
    ]
);

it'll still verify the algorithm before running the rest of the function and will throw a bcrypt error, if the incorrect value is used.

Steps To Reproduce

make sure bcrypt verify is set to true in config.

Hash::check(
    'password',
    '$2a$12$JU/xbox8TdX8Yp7deAOAnu9KWeGtreepOspbfa4t9x7yaxICVfzuq',
    [
        'verify' => false,
    ]
);

results in an error thrown instead of a true or false.

[ghabriel25]

@GeNyaa If you set it to true in config, that value will be used in constructor

• framework/src/Illuminate/Hashing/HashManager.php

  Line 18 in fba3b98

  public function createBcryptDriver()

• framework/src/Illuminate/Hashing/BcryptHasher.php

  Line 38 in fba3b98

  public function __construct(array $options = [])

As you can see above, first check is passed, second check is the hashed password itself. It uses password_get_info to get the algorithm.

• framework/src/Illuminate/Hashing/AbstractHasher.php

  Line 13 in fba3b98

  public function info($hashedValue)

• framework/src/Illuminate/Hashing/BcryptHasher.php

  Line 124 in fba3b98

  protected function isUsingCorrectAlgorithm($hashedValue)

If this the result is not bcrypt it will throw a RuntimeException. I have tried your hashed password and it gives output unknown algorithm.

But I found out that if you pass option when using Hash::check, that options never used.

framework/src/Illuminate/Hashing/AbstractHasher.php

Line 26 in fba3b98

public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])

I think it should be like this

public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])
{
    if (is_null($hashedValue) || strlen($hashedValue) === 0) {
        return false;
    }

    if (! empty($options)) {
        $this->verifyAlgorithm = $options['verify'] ?? $this->verifyAlgorithm;
    }

    if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {
        throw new RuntimeException('This password does not use the Bcrypt algorithm.');
    }

    return parent::check($value, $hashedValue, $options);
}

[GeNyaa]

The hash above is a different bcrypt version 2a instead of 2y, the hash itself should be the same though.

[crynobone]

Is the step to reproduce used in any of Laravel documentation? If not, feel free to submit a PR to suggest the new usage.

[GeNyaa]

I used verify false as an option to ignore the amount of rounds when checking the password. So it would allow me to check 8, 10 and 12 rounds without turning verify off inside the config/env vars. This doesn't seem documented in the documentation, but is working as expected. However when using 2a version hashes it errors out, which is why I thought this was a bug as it's suppose to just check the hash without verifying version or rounds.

I'll create a pr to address this later, when I have more time on my hands.