I expect I’m just missing something here, and would love some input on this (i.e., what am I missing?). For a while now, I’ve been in the habit of using PHP’s hash_hmac() function to hash data, such as passwords to be stored. Then I call hash_hmac() again on the login password and confirm the two passwords. Standard stuff. Like using MD5() or SHA1(), but with a secure algorithm. Sometimes I use crypt() BLOWFISH instead, but that’s irrelevant here.
In Yii, hash_hmac() is wrapped in the CSecurityManager::computeHMAC() method. This is a protected method, though, so it can’t be called directly. The CSecurityManager::hashData() method is a public wrapper to computeHMAC(). However, hashData() returns not just the hash_hmac() version of the data but also the data itself at the end of the string. Thus, assuming I’m using the same algorithm and key, running “password” through:
hash_hmac() would return "21f9b9e3c98236d3efb6c8b47a4137a1c7ad59cc84af20e2e8ba41c946f34ab6"
computeHMAC() would return "21f9b9e3c98236d3efb6c8b47a4137a1c7ad59cc84af20e2e8ba41c946f34ab6" (if you could call the method directly)
but running that through hashData() returns “21f9b9e3c98236d3efb6c8b47a4137a1c7ad59cc84af20e2e8ba41c946f34ab6password”. The data being hashed is appended to the end of the returned string. Obviously, [size=2]I wouldn’t want to store that returned value, because it includes the un-hashed password. [/size]
[size=2]Now I could chop off the provided data from the end of the string and store that, but if I’m going through that effort, I might as well just use hash_hmac() directly instead.[/size]
[size=2]So what am I missing? What’s the point of appending the data to the returned hash? Is it because hashData() is meant to be used with validateData(), and not really as a wrapper to hash_hmac()?[/size]
[size=2]Any insights on this would be most appreciated! Thanks.[/size]