php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52409 Wrong hash_hmac result
Submitted: 2010-07-22 19:48 UTC Modified: 2010-07-23 00:12 UTC
From: blackakula at gmail dot com Assigned:
Status: Not a bug Package: OpenSSL related
PHP Version: 5.3.3 OS: Ubuntu 10.04
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: blackakula at gmail dot com
New email:
PHP Version: OS:

 

 [2010-07-22 19:48 UTC] blackakula at gmail dot com
Description:
------------
I've tried many other ways to calculate this SHA-256. All sources gave me expected result (string(64) "88e0d97d68acf161407af5965ae1e33b1743dbc400af1cc8a2020d47f45ca83e"), except PHP.
Source 1: http://hash.online-convert.com/sha256-generator (online sha256-generator)
Source 2: ruby code: OpenSSL::HMAC.hexdigest('sha256','49a40e1d5c24be8a6e7d566a05d346d0','eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEyNzk4MTgwMDAsIm9hdXRoX3Rva2VuIjoiMTIxMTc2NDk3OTEwMTg5fDIuNlBKWkFNTFozOGcxaUZYMXdraUZwZ19fLjM2MDAuMTI3OTgxODAwMC02MjAzMDc1NDJ8UXd5MHVuZEJ2YVlSYnJWcDBFSkN4eGdVRjQ4LiIsInVzZXJfaWQiOiI2MjAzMDc1NDIifQ')

PHP code example (gave me string(64) "61c9a97bd820052765e1291708352acadb397ea15489bf8be18bd34f775cda1a"):
<?php
var_dump(hash_hmac('sha256','eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEyNzk4MTA4MDAsIm9hdXRoX3Rva2VuIjoiMTIxMTc2NDk3OTEwMTg5fDIuNENNcl9UWV9OVnNKTmpSQlNzOGQ1QV9fLjM2MDAuMTI3OTgxMDgwMC02MjAzMDc1NDJ8eFg5QTBLRzRKbnNHNXZmQ2VaSGJpQmNJeE9vLiIsInVzZXJfaWQiOiI2MjAzMDc1NDIifQ','49a40e1d5c24be8a6e7d566a05d346d0',false));
?>

Test script:
---------------
<?php
var_dump(hash_hmac('sha256','eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEyNzk4MTA4MDAsIm9hdXRoX3Rva2VuIjoiMTIxMTc2NDk3OTEwMTg5fDIuNENNcl9UWV9OVnNKTmpSQlNzOGQ1QV9fLjM2MDAuMTI3OTgxMDgwMC02MjAzMDc1NDJ8eFg5QTBLRzRKbnNHNXZmQ2VaSGJpQmNJeE9vLiIsInVzZXJfaWQiOiI2MjAzMDc1NDIifQ','49a40e1d5c24be8a6e7d566a05d346d0',false));
?>

Expected result:
----------------
string(64) "88e0d97d68acf161407af5965ae1e33b1743dbc400af1cc8a2020d47f45ca83e"

Actual result:
--------------
string(64) "61c9a97bd820052765e1291708352acadb397ea15489bf8be18bd34f775cda1a"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-23 00:12 UTC] pollita@php.net
-Status: Open +Status: Bogus
 [2010-07-23 00:12 UTC] pollita@php.net
The outputs don't agree because the inputs are different.  Look closely at the values you're passing in for each:

Ruby: eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEyNzk4MTgwMDAsIm9hdXRoX3Rva2VuIjoiMTIxMTc2NDk3OTEwMTg5fDIuNlBKWkFNTFozOGcxaUZYMXdraUZwZ19fLjM2MDAuMTI3OTgxODAwMC02MjAzMDc1NDJ8UXd5MHVuZEJ2YVlSYnJWcDBFSkN4eGdVRjQ4LiIsInVzZXJfaWQiOiI2MjAzMDc1NDIifQ

PHP: eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEyNzk4MTA4MDAsIm9hdXRoX3Rva2VuIjoiMTIxMTc2NDk3OTEwMTg5fDIuNENNcl9UWV9OVnNKTmpSQlNzOGQ1QV9fLjM2MDAuMTI3OTgxMDgw
MC02MjAzMDc1NDJ8eFg5QTBLRzRKbnNHNXZmQ2VaSGJpQmNJeE9vLiIsInVzZXJfaWQiOiI2MjAzMDc1
NDIifQ

They're identical up to ...EwMTg5fDIuN    but then the Ruby version continues with lBKWkFN... while the PHP version continues with ENNcl9...

The hash of two different values will be different.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jun 16 17:01:29 2024 UTC