Open
Conversation
The test-data-provider provideTestDetect() is missing to provide a
hash that contains characters in the salt out of the base64
range.
Previously only data with salts in the base64 range was provided.
This had left non-base64 ranged salts untested.
Steps done:
- A valid SHA256 hash containing characters in the salt out of the
base64 range has been added.
For reference the following script shows the hash, what's its
plain is and that it verifies:
<?php
$plain = 'hello';
$hash = '$5$' . "\xE4\"|\xF5|\x08\xC8'\xF054:>\x13\xCB\xED"
. "\$6I5JMX./GN9KGHTtvHwvp3mxkNv/Ni7/jomOEBgsiM.";
$verify = $hash === crypt($plain, $hash);
if (!$verify) {
throw new RuntimeException('PHP crypt() failure.');
}
echo "OK";
https://eval.in/38389
The test-data-provider provideTestDetect() is missing to provide a
hash that contains characters in the salt out of the base64
range.
Previously only data with salts in the base64 range was provided.
This had left non-base64 ranged salts untested.
Steps done:
- A valid SHA512 hash containing characters in the salt out of the
base64 range has been added.
For reference the following script shows the hash, what's its
plain is and that it verifies:
<?php
$plain = 'hello';
$hash = '$6$' . "\xC2?<j\x9A\xE0\xC4\xFCK\x8F\xFD\x87csaO" .
"\$Oca/TbK.iCdURjqXCnoIyDNggbVF1FWwjxxUYRuYm6HAPP" .
"mQSDxWa3fSgzcPsTyVdjBv4JLBlj4c13YLOpP5f/";
$verify = $hash === crypt($plain, $hash);
if (!$verify) {
throw new RuntimeException('PHP crypt() failure.');
}
echo "OK";
https://eval.in/38390
The test-data used in the imlementations: - Unit_Password_Implementation_SHA256Test - Unit_Password_Implementation_SHA512Test did only contain salts inside the base64 range. That did left non-base64 data for salts untested. This patch adds hash strings that are using a salt of 16 times chr(1) instead of chr(0). Both in the mock of the random generator as well as in test-data.
Author
|
Build fails as expected: https://travis-ci.org/ircmaxell/PHP-PasswordLib/builds/9407235 |
Owner
|
Can we fix those failing tests? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Unix crypt SHA256/SHA512 are using the wrong alphabet for salts.
First some changes to the tests to show that the current implementation is broken.
Then the fixes.