PHP :: Bug #75221 :: Argon2i always throws NUL at the end

Bug #75221

Argon2i always throws NUL at the end

Submitted:

2017-09-18 09:40 UTC

Modified:

2017-10-12 10:58 UTC

Votes:	2
Avg. Score:	3.0 ± 2.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

phpdoc at mail dot my1 dot info

Assigned:

cmb (profile)

Status:

Closed

Package:

*Encryption and hash functions

PHP Version:

7.2.0RC2

OS:

Win8.1 x64

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	phpdoc at mail dot my1 dot info
New email:
PHP Version:		OS:

New Comment:

[2017-09-18 09:40 UTC] phpdoc at mail dot my1 dot info

Description:
------------
for some reason using argon2i as a hash algorithm, it always dumps out a NUL byte at the end which doesnt happen with bcrypt.


I just use the PHP7.2-RC2 x64-nts from windows.php.net on a webserver using cgi

Test script:
---------------
<?php
header("Content-type: text/plain");
$pwhash=password_hash("php",PASSWORD_ARGON2I,[
  'memory_cost' => 16384, // 16 Mb
  'time_cost'   => 2,
  'threads'     => 4,]);
  
  
echo  $pwhash;

$pwhash2=password_hash("php",PASSWORD_BCRYPT,[
  "cost"=> 10]);
  echo PHP_EOL.PHP_EOL;
  echo $pwhash2;

Expected result:
----------------
that it wont dump a NUL at the end

Actual result:
--------------
it does throw a NUL byte at the end.

Patches

Pull Requests

Pull requests:

Fixed bug #75221 (Argon2i always throws NUL at the end) (php-src/2759)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-09-18 09:56 UTC] phpdoc at mail dot my1 dot info

by the way, password_verify, doesnt care whether the NUL exists.

the test script can be expanded by:

var_dump(password_verify("php",$pwhash));
var_dump(password_verify("php",trim($pwhash)));

[2017-09-18 12:57 UTC] cmb@php.net

-Status: Open +Status: Verified

[2017-09-18 12:57 UTC] cmb@php.net

The problem appears to be that argon2_encodedlen() returns the
length of the resulting string including the trailing NUL byte
(i.e. strlen()+1). However, zend_string_alloc() wants the length
of the string without trailing NUL.

See <https://github.com/php/php-src/blob/php-7.2.0beta3/ext/standard/password.c#L518-L529>.

[2017-10-12 10:57 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3f8961dfac96a992df2516c0e383e6820eedd31b
Log: Fixed bug #75221 (Argon2i always throws NUL at the end)

[2017-10-12 10:57 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2017-10-12 10:58 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

[2017-10-25 08:13 UTC] phpdoc at mail dot my1 dot info

I can confirm this fixed as of RC5

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC