php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73127 gost-crypto hash incorrect if input data contains long 0xFF sequence
Submitted: 2016-09-20 12:11 UTC Modified: -
Votes:6
Avg. Score:4.2 ± 0.9
Reproduced:6 of 6 (100.0%)
Same Version:2 (33.3%)
Same OS:6 (100.0%)
From: grundik at ololo dot cc Assigned:
Status: Closed Package: hash related
PHP Version: 7.0.11 OS: Linux
Private report: No CVE-ID:
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: grundik at ololo dot cc
New email:
PHP Version: OS:

 

 [2016-09-20 12:11 UTC] grundik at ololo dot cc
Description:
------------
If input data contains long sequence of 0xFF bytes (40+ bytes), then calculated hash using gost-crypto algorithm becomes incorrect. That affects at least these functions:
* hash;
* hash_file;
* hash_stream.

Test script:
---------------
$test = str_repeat("\xFF", 40);
echo hash('gost-crypto', $test);


Expected result:
----------------
231d8bb980d3faa30fee6ec475df5669cf6c24bbce22f46d6737470043a99f8e

Actual result:
--------------
8e0be2995864c40f8111feaa9df6fc4830632fdf61e365d9feca87f1e485d1f7

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-31 15:17 UTC] iofeed at yandex dot ru
This problem is easily reproduced when you try to create hash for an XLS file.
 [2017-02-03 09:13 UTC] grundik at ololo dot cc
Same issue in gost hash:

Test script:
---------------
$test = str_repeat("\xFF", 40);
echo hash('gost', $test);


Expected result:
----------------
9eaf96ba62f90fae6707f1d4274d1a9d6680f5a121d4387815aa3a6ec42439c5

Actual result:
--------------
140da043c3c8c9355b73de375ba23ce82cd0aa7c2ba334a25b7058fbe3efaba2
 [2017-02-03 12:54 UTC] grundik at ololo dot cc
Examples of tools, which gives correct output for gost-crypto algorithm:
* openssl with GOST engine: "openssl dgst -engine gost -md_gost94 -hex <file>";
* rhash: "rhash --gost-cryptopro <file>" (or "rhash --gost <file>" for "gost" S-blocks);
* CryptoPro CSP: "cryptcp -hash <file>".
 [2017-02-24 22:23 UTC] nikic@php.net
Automatic comment on behalf of grundik@ololo.cc
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eac8166bd468a3c7c00b5163f6f86804911b660d
Log: Fix bug #73127
 [2017-02-24 22:23 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC