php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75221 Argon2i always throws NUL at the end
Submitted: 2017-09-18 09:40 UTC Modified: 2017-10-12 10:58 UTC
Votes:2
Avg. Score:3.0 ± 2.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: phpdoc at mail dot my1 dot info Assigned: cmb (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 7.2.0RC2 OS: Win8.1 x64
Private report: No CVE-ID: None
 [2017-09-18 09:40 UTC] phpdoc at mail dot my1 dot info
Description:
------------
for some reason using argon2i as a hash algorithm, it always dumps out a NUL byte at the end which doesnt happen with bcrypt.


I just use the PHP7.2-RC2 x64-nts from windows.php.net on a webserver using cgi

Test script:
---------------
<?php
header("Content-type: text/plain");
$pwhash=password_hash("php",PASSWORD_ARGON2I,[
  'memory_cost' => 16384, // 16 Mb
  'time_cost'   => 2,
  'threads'     => 4,]);
  
  
echo  $pwhash;

$pwhash2=password_hash("php",PASSWORD_BCRYPT,[
  "cost"=> 10]);
  echo PHP_EOL.PHP_EOL;
  echo $pwhash2;

Expected result:
----------------
that it wont dump a NUL at the end

Actual result:
--------------
it does throw a NUL byte at the end.

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-18 09:56 UTC] phpdoc at mail dot my1 dot info
by the way, password_verify, doesnt care whether the NUL exists.

the test script can be expanded by:

var_dump(password_verify("php",$pwhash));
var_dump(password_verify("php",trim($pwhash)));
 [2017-09-18 12:57 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2017-09-18 12:57 UTC] cmb@php.net
The problem appears to be that argon2_encodedlen() returns the
length of the resulting string including the trailing NUL byte
(i.e. strlen()+1). However, zend_string_alloc() wants the length
of the string without trailing NUL.

See <https://github.com/php/php-src/blob/php-7.2.0beta3/ext/standard/password.c#L518-L529>.
 [2017-10-12 10:57 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3f8961dfac96a992df2516c0e383e6820eedd31b
Log: Fixed bug #75221 (Argon2i always throws NUL at the end)
 [2017-10-12 10:57 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2017-10-12 10:58 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2017-10-25 08:13 UTC] phpdoc at mail dot my1 dot info
I can confirm this fixed as of RC5
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC