hash_pbkdf2() truncates data when using default length and hex output

Bug #64745	hash_pbkdf2() truncates data when using default length and hex output
Submitted:	2013-05-01 00:18 UTC	Modified:	2013-05-15 13:06 UTC
From:	ezzatron at gmail dot com	Assigned:	ircmaxell (profile)
Status:	Closed	Package:	hash related
PHP Version:	5.5.0beta4	OS:
Private report:	No	CVE-ID:	None

[2013-05-01 00:18 UTC] ezzatron at gmail dot com

Description:
------------
When passing 0 as the length to hash_pbkdf2(), the behaviour is inconsistent 
between raw output and hex-encoded output. See the test script for a concrete 
example.

There are also no tests for the use case where length is defaulted in the current 
test suite (http://bit.ly/YcgMMu).

I'm attempting to write a compatibility library for this function for PHP versions 
earlier that 5.5, so the test suite for https://github.com/eloquent/pbkdf2-compat 
and its build history in Travis CI may also be useful, as it documents the current 
behaviour more extensively.

Test script:
---------------
<?php

$hash = hash_pbkdf2('sha1', 'password', 'salt', 1, 0);
$rawHash = hash_pbkdf2('sha1', 'password', 'salt', 1, 0, true);

var_dump($hash);
var_dump(bin2hex($rawHash));

Expected result:
----------------
string(40) "0c60c80f961f0e71f3a9b524af6012062fe037a6"
string(40) "0c60c80f961f0e71f3a9b524af6012062fe037a6"

Actual result:
--------------
string(20) "0c60c80f961f0e71f3a9"
string(40) "0c60c80f961f0e71f3a9b524af6012062fe037a6"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-05-15 12:54 UTC] dsp@php.net

-Assigned To: +Assigned To: ircmaxell

[2013-05-15 13:06 UTC] ircmaxell@php.net

Ahh, very interesting find. Will confirm, write a test case, and push a fix for it 
later today.

Thanks for the report!