hash_hmac implementation does not match PHP hash_hmac
|Reported by:||jrush_aplus||Owned by:||mdawaffe|
|Severity:||normal||Keywords:||has-patch tested commit|
The hash_hmac implementation output does not match the native PHP hash_hmac output when using a key longer than 64 characters.
If the key is longer than 64 characters, it is packed. The output of pack may be less than 64 characters, so the key needs to be padded. The current implementation does not pad the key because the key was packed.
The attached patch removes the else that keeps a packed key from being padded. By removing the else, the length of the key is recalculated and will be padded if it is less than 64 characters.
If the key is padded after being packed, the output matches the output of the native PHP hash_hmac function.
Change History (14)
comment:1 peaceablewhale — 4 years ago
- Keywords has-patch tested added
- Milestone changed from Unassigned to 2.8.1
- Version set to 2.8