php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #25177 Sha1 doesnt work correct with data greater then 2kB
Submitted: 2003-08-20 08:22 UTC Modified: 2003-08-26 01:56 UTC
From: a dot lunkeit at signcubes dot com Assigned:
Status: Not a bug Package: *Encryption and hash functions
PHP Version: 4.3.2 OS: Linux
Private report: No CVE-ID: None
 [2003-08-20 08:22 UTC] a dot lunkeit at signcubes dot com
Description:
------------
I noticed, that the sha1 function computes wrong hash values for data with a volume greater than 2kB.

My reference values are various free implementations in C++, which come to the same hash value, but the PHP implementation differs.

With data smaller than 2kB the problem does not exist.



Reproduce code:
---------------
This can be any code using the sha1 function. My code example doesn't really matter.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-20 08:29 UTC] derick@php.net
Can you point me to some of the reference test vectors?
 [2003-08-20 09:34 UTC] a dot lunkeit at signcubes dot com
Now i found out, that the data can be smaller. I took some data greater than 512 Bytes and the bug also appears. With data smaller than 512 Bytes it will not appear. 
I will generate some vectors for you within next half hour.
 [2003-08-20 10:15 UTC] a dot lunkeit at signcubes dot com
Here is the Testcontainer

VERSION:VERSION 1.0
TYPE:OL_PAYMENT
CERTIFICATE:MV8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAeBgkqhkiG9w0BCQUxERgPMjAwMzA4MjAxNTA3MDZaMCMGCSqGSIb3DQEJBDEWBBThpbsOy9VEAPvp64X3gyREhZBK7w==
PKCS7:MIIH6QYJKoZIhvcNAQcCoIIH2jCCB9YCAQExCzAJBgUrDgMCGgUAMIICSgYJKoZIhvcNAQcBoIICOwSCAjdTaG9wLUlkOjEyMzQ1Njc4DQpUcmFuc2FrdGlvbnMtSWQ6MTA2MTM5OTA0Nw0KVHJhbnNha3Rpb25zLVR5cDoxMCAoUmVzZXJ2YXRpb24pDQpCZXRyYWc6Mi41MA0KV RocnVuZzpFVVINCldhcmVua29yYjoNCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NCklocmUgQXJ0aWtlbDogDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQoxIFRhc3NlbiBkZXIgU29ydGUgMQ0KDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpHZXNhbXRiZXRyYWc6IDIuNTAgRXVybw0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQpLYXJ0ZW5pbmhhYmVyOiBNaWNoYWVsIEdlaHJrZQ0KS3VuZGVudW1tZXI6IDg5NDkwMTcyMzAwMDAxNDM0OTkNCktyZWRpdGthcnRlbi1OdW1tZXI6IDAxMjM0NTY3ODkNCkFibGF1ZmphaHIgZGVyIEtyZWRpdGthcnRlOiAyMDA2DQpBYmxhdWZtb25hdCBkZXIgS3JlZGl0a2FydGU6IDEyDQqgggP6MIID9jCCA1 gAwIBAgIEL64 GzANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEQMA4GA1UECxQHVGVsZVNlYzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNjpQTjAeFw0wMzA3MTcwODQ5MjRaFw0wNjA3MTcwODQ5MjRaMEwxCzAJBgNVBAYTAkRFMRcwFQYDVQQKDA5TaWduQ3ViZXMgR21iSDEYMBYGA1UEAwwPR2VocmtlLCBNaWNoYWVsMQowCAYDVQQFEwExMIGhMA0GCSqGSIb3DQEBAQUAA4GPADCBiwKBgQCNxj6tNW3VzYCXOkgTQCuRoqPUbokOnWUCozNoFMT26lwaSbApKWL4FS4M urXRJS/woltuCXZp3lxnQVA1eR/oMglYIURoKM7Xx1YP7mRKPUvecLLWjaWNPg9rzvg9kqcwjwlKxlMx6H1regWhsooBjucqg6G6NeDi2TJfxuhRQIFAMAAAAGjggHGMIIBwjAfBgNVHSMEGDAWgBTBgtADwJaxh 3T5AeVkxyIXmcqQDCB6AYDVR0fBIHgMIHdMIHaoGqgaIY1bGRhcDovL3Brc2xkYXAudHR0Yy5kZTozODkvbz1EZXV0c2NoZSBUZWxla29tIEFHLGM9ZGWGL2h0dHA6Ly93d3cudHR0Yy5kZS90ZWxlc2VjL3NlcnZsZXQvZG93bmxvYWRfY3JsomykajBoMQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzE7MAwGBwKCBgEKBxQTATEwKwYDVQQDFCRUZWxlU2VjIERpcmVjdG9yeSBTZXJ2aWNlIFNpZ0cgMTA6UE4wGAYIKwYBBQUHAQMEDDAKMAgGBgQAjkYBATAdBgNVHQ4EFgQUjk1Pj5ro/5o8aepB877Z9eEBUtowDgYDVR0PAQH/BAQDAgZAMBIGA1UdIAQLMAkwBwYFKyQIAQEwIQYDVR0RBBowGIEWbS5nZWhya2VAc2lnbmN1YmVzLmNvbTA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly93d3cudHR0Yy5kZS9vY3NwcjANBgkqhkiG9w0BAQUFAAOBgQA6M2/12adZO8U7V3KRcpKKgnIUubGt8kjbxYwLZ765LFXiazqM77ITXuwCvZNRpuAN4PiG9evIbbJ0At9yslXDFJmmcESkxblj5Ln8m4fx8EG0MC80lSITJMI8JWnC25P2lPqV2SxXZuzv43xWRyqImtGMm5V/RazuUO G2oBDATGCAXYwggFyAgEBMG8wZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDY6UE4CBC uPhswCQYFKw4DAhoFAKBfMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHgYJKoZIhvcNAQkFMREYDzIwMDMwODIwMTUwNzA2WjAjBgkqhkiG9w0BCQQxFgQU4aW7DsvVRAD76euF94MkRIWQSu8wDQYJKoZIhvcNAQEFBQAEgYB5sVMxPutMCBCx4JHcrTwrUUlSrQ3rF5kTP8m889llRgHs45jviZ/H5YE0vUIWK 3YiaRn7Bwz0VhHXV4OmpjHvZQtZYBj t GhF8kS0SDRYH50PEOyLwoWNTJWgyKa4D2sJLrdEWlB/guSYjboG9zvzReyqNgIWa4P3EM3U2uOA==
CUSTNUM:8949017230000143499
SHOP_ID:12345678
TRANS_ID:1061399047
TRANS_ART:10
AMMOUNT:2.50
CURRENCY:EUR
CREDITCARD:0123456789
EXP_MONTH:12
EXP_YEAR:2006
HASH:973a24bd0bb33edd7d4bc59a735264b0e7db1f8f

The data is taken until the Hash Field starts. The appended
to this block contains the original hash computed in C++. Please note, that the lines are separated by CRLF (0x0d, 0x0a).
 [2003-08-25 12:38 UTC] iliaa@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

I think you may be doing something wrong and hence getting the wrong hashes. I've compared the hashes generated by sha1($data) and mhash(MHASH_SHA1, $data), with $data being a string from 20k - 1meg and got identical results. Here is a sample script you can try:
<?php
$data = "your data";
$sha = pack("H*", sha1($data));
$mhash = mhash(MHASH_SHA1, $data);

var_dump($sha, $mhash, ($sha === $mhash));
?>
 [2003-08-26 01:56 UTC] a dot lunkeit at signcubes dot com
I have to sorry for that problem i reported. In fact, not the sha1 function was the problem but the charset transformation during the transmission. It took a little bit to notice that problem, because the transmitted data was thought to be base 64 encoded and actuallay it wasnt in a correct way.
I dont use that function any longer and wrote one on my own which seem s to work correct. Thanks for your invested time 
in that problem.

Best regards
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Fri Jun 22 17:01:44 2018 UTC