hash_pbkdf2() truncates data when using default length and hex output

Bug #64745 hash_pbkdf2() truncates data when using default length and hex output
Submitted: 2013-05-01 00:18 UTC Modified: 2013-05-15 13:06 UTC
From: ezzatron at gmail dot com Assigned: ircmaxell (profile)
Status: Closed Package: hash related
PHP Version: 5.5.0beta4 OS:
Private report: No CVE-ID: None

 [2013-05-01 00:18 UTC] ezzatron at gmail dot com

Description:
------------
When passing 0 as the length to hash_pbkdf2(), the behaviour is inconsistent 
between raw output and hex-encoded output. See the test script for a concrete 
example.

There are also no tests for the use case where length is defaulted in the current 
test suite (http://bit.ly/YcgMMu).

I'm attempting to write a compatibility library for this function for PHP versions 
earlier that 5.5, so the test suite for https://github.com/eloquent/pbkdf2-compat 
and its build history in Travis CI may also be useful, as it documents the current 
behaviour more extensively.

Test script:
---------------
<?php

$hash = hash_pbkdf2('sha1', 'password', 'salt', 1, 0);
$rawHash = hash_pbkdf2('sha1', 'password', 'salt', 1, 0, true);

var_dump($hash);
var_dump(bin2hex($rawHash));

Expected result:
----------------
string(40) "0c60c80f961f0e71f3a9b524af6012062fe037a6"
string(40) "0c60c80f961f0e71f3a9b524af6012062fe037a6"

Actual result:
--------------
string(20) "0c60c80f961f0e71f3a9"
string(40) "0c60c80f961f0e71f3a9b524af6012062fe037a6"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2013-05-15 12:54 UTC] dsp@php.net

-Assigned To: +Assigned To: ircmaxell

 [2013-05-15 13:06 UTC] ircmaxell@php.net

Ahh, very interesting find. Will confirm, write a test case, and push a fix for it 
later today.

Thanks for the report!