Zend\Crypt\Password\BCrypt verify method

Question

I am using Zend\Crypt\Password\Bcrypt for storing passwords encrypted in the database. But now I looked a bit closer and I don't seem to understand the verify method of this class:

/**
 * Verify if a password is correct against a hash value
 *
 * @param  string $password
 * @param  string $hash
 * @throws Exception\RuntimeException when the hash is unable to be processed
 * @return bool
 */
public function verify($password, $hash)
{
    $result = crypt($password, $hash);
    return Utils::compareStrings($hash, $result);
}

Functionality according to the comment "Verify if a password is correct against a hash value"

But when I check the php crypt function it is calling the second argument is an optional $salt and not a $hash string to verify.

How I am reading this: it first uses the passed $hash as salt to encrypt the $password that we want to check and then it compares the same $hash it used as salt with the encrypted $result !?

So what am I missing here? Either the php-doc is not correct or I am not understanding what is happening or I missed something in the documents.

Answer 1

Bcrypt hash has well documented structure, for example this hash:

$2y$10$aPk2mEEIkGonq6/JGr0OKOhYOdgomu61ARBjDLgb0UmHM4L8f7Hxe

String $2y$ is prefix, 10 is cost, aPk2mEEIkGonq6/JGr0OKO is salt (128-bit, base64 encoded 22 characters) and hYOdgomu61ARBjDLgb0UmHM4L8f7Hxe is resulting hash.

crypt function recognizes this format and use appropriate part of it as a salt, so there is no problem to pass whole hash as second parameter.