PHP :: Bug #75221 :: Argon2i always throws NUL at the end

Bug #75221

Argon2i always throws NUL at the end

Submitted:

2017-09-18 09:40 UTC

Modified:

2017-10-12 10:58 UTC

Votes:	2
Avg. Score:	3.0 ± 2.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

phpdoc at mail dot my1 dot info

Assigned:

cmb (profile)

Status:

Closed

Package:

*Encryption and hash functions

PHP Version:

7.2.0RC2

OS:

Win8.1 x64

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	phpdoc at mail dot my1 dot info
New email:
PHP Version:		OS:

New/Additional Comment:

[2017-09-18 09:40 UTC] phpdoc at mail dot my1 dot info

Description:
------------
for some reason using argon2i as a hash algorithm, it always dumps out a NUL byte at the end which doesnt happen with bcrypt.


I just use the PHP7.2-RC2 x64-nts from windows.php.net on a webserver using cgi

Test script:
---------------
<?php
header("Content-type: text/plain");
$pwhash=password_hash("php",PASSWORD_ARGON2I,[
  'memory_cost' => 16384, // 16 Mb
  'time_cost'   => 2,
  'threads'     => 4,]);
  
  
echo  $pwhash;

$pwhash2=password_hash("php",PASSWORD_BCRYPT,[
  "cost"=> 10]);
  echo PHP_EOL.PHP_EOL;
  echo $pwhash2;

Expected result:
----------------
that it wont dump a NUL at the end

Actual result:
--------------
it does throw a NUL byte at the end.

Patches

Pull Requests

Pull requests:

Fixed bug #75221 (Argon2i always throws NUL at the end) (php-src/2759)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-09-18 09:56 UTC] phpdoc at mail dot my1 dot info

by the way, password_verify, doesnt care whether the NUL exists.

the test script can be expanded by:

var_dump(password_verify("php",$pwhash));
var_dump(password_verify("php",trim($pwhash)));

[2017-09-18 12:57 UTC] cmb@php.net

-Status: Open +Status: Verified

[2017-09-18 12:57 UTC] cmb@php.net

The problem appears to be that argon2_encodedlen() returns the
length of the resulting string including the trailing NUL byte
(i.e. strlen()+1). However, zend_string_alloc() wants the length
of the string without trailing NUL.

See <https://github.com/php/php-src/blob/php-7.2.0beta3/ext/standard/password.c#L518-L529>.

[2017-10-12 10:57 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3f8961dfac96a992df2516c0e383e6820eedd31b
Log: Fixed bug #75221 (Argon2i always throws NUL at the end)

[2017-10-12 10:57 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2017-10-12 10:58 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

[2017-10-25 08:13 UTC] phpdoc at mail dot my1 dot info

I can confirm this fixed as of RC5

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 15:00:01 2025 UTC