API tools faq
paste
Advertisement
Guest User

hash_equals test results

a guest
Sep 4th, 2014
2,310
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.38 KB | None | 0 0
raw download clone embed print report
  1. Here are my test results:
  2.  
  3. (Strings are displayed base64 encoded)
  4.  
  5. known string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
  6. rounds: 5,000,000
  7.  
  8. test case 1:
  9. 70,204 ms
  10. result: false
  11. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNOyw==
  12.  
  13. test case 2:
  14. 70,592 ms
  15. result: false
  16. user string: tKTxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
  17.  
  18. test case 3:
  19. 70,952 ms
  20. result: false
  21. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/Zg=
  22.  
  23. test case 4:
  24. 71,310 ms
  25. result: false
  26. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONEuk8bXLZjrky6NaST5MIjRJ5s1me/OApG5AnwzFrv2YKDesuAwhpfEWHran1jH1FV/djjKnMCl0UFvAj41TTjQ=
  27.  
  28. test case 5:
  29. 70,842 ms
  30. result: true
  31. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
  32.  
  33. test case 6:
  34. 74,676 ms
  35. result: false
  36. user string: (boolean false)
  37.  
  38. And the code to reproduce the results:
  39.  
  40. <?php
  41.  
  42. set_time_limit(0);
  43.  
  44. $rounds = 5000000;
  45. $known = mcrypt_create_iv(64);
  46.  
  47. /**
  48.  * test case 1:
  49.  * same length, last byte inverted
  50.  */
  51. $user = substr($known, 0, 63) . (substr($known, 63, 1) ^ chr(255));
  52.  
  53. $microtime_start = microtime(true);
  54. hash_equals($known, $user);
  55. $microtime_end = microtime(true);
  56. echo 'known string: ' . base64_encode($known) . '<br>';
  57. echo 'rounds: ' . number_format($rounds) . '<br><br>';
  58.  
  59. $microtime_start = microtime(true);
  60. for ($i = 0; $i < $rounds; $i++) {
  61.     hash_equals($known, $user);
  62. }
  63. $microtime_end = microtime(true);
  64. $result = hash_equals($known, $user);
  65. echo 'test case 1:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  66.  . 'result: ' . var_export($result, true) . '<br>'
  67.  . 'user string: ' . base64_encode($user) . '<br><br>';
  68.  
  69. /**
  70.  * test case 2:
  71.  * same length, first byte inverted
  72.  */
  73. $user = (substr($known, 0, 1) ^ chr(255)) . substr($known, 1, 63);
  74. $microtime_start = microtime(true);
  75. for ($i = 0; $i < $rounds; $i++) {
  76.     hash_equals($known, $user);
  77. }
  78. $microtime_end = microtime(true);
  79. $result = hash_equals($known, $user);
  80. echo 'test case 2:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  81.  . 'result: ' . var_export($result, true) . '<br>'
  82.  . 'user string: ' . base64_encode($user) . '<br><br>';
  83.  
  84. /**
  85.  * test case 3:
  86.  * user string is shorter
  87.  */
  88. $user = substr($known, 0, 32);
  89. $microtime_start = microtime(true);
  90. for ($i = 0; $i < $rounds; $i++) {
  91.     hash_equals($known, $user);
  92. }
  93. $microtime_end = microtime(true);
  94. $result = hash_equals($known, $user);
  95. echo 'test case 3:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  96.  . 'result: ' . var_export($result, true) . '<br>'
  97.  . 'user string: ' . base64_encode($user) . '<br><br>';
  98.  
  99. /**
  100.  * test case 4:
  101.  * user string is longer
  102.  */
  103. $user = $known . $known;
  104.  
  105. $microtime_start = microtime(true);
  106. for ($i = 0; $i < $rounds; $i++) {
  107.     hash_equals($known, $user);
  108. }
  109. $microtime_end = microtime(true);
  110. $result = hash_equals($known, $user);
  111. echo 'test case 4:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  112.  . 'result: ' . var_export($result, true) . '<br>'
  113.  . 'user string: ' . base64_encode($user) . '<br><br>';
  114.  
  115. /**
  116.  * test case 5:
  117.  * user string equals the known string
  118.  */
  119. $user = $known;
  120.  
  121. $microtime_start = microtime(true);
  122. for ($i = 0; $i < $rounds; $i++) {
  123.     hash_equals($known, $user);
  124. }
  125. $microtime_end = microtime(true);
  126. $result = hash_equals($known, $user);
  127. echo 'test case 5:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  128.  . 'result: ' . var_export($result, true) . '<br>'
  129.  . 'user string: ' . base64_encode($user) . '<br><br>';
  130.  
  131. /**
  132.  * test case 6:
  133.  * user string is not a string
  134.  */
  135. error_reporting(0);
  136. ini_set('display_startup_errors', 0);
  137. ini_set('display_errors', 0);
  138. ini_set('log_errors', 0);
  139. ini_set('report_memleaks', 0);
  140. ini_set('track_errors', 0);
  141. $user = false;
  142. $microtime_start = microtime(true);
  143. for ($i = 0; $i < $rounds; $i++) {
  144.     hash_equals($known, $user);
  145. }
  146. $microtime_end = microtime(true);
  147. $result = hash_equals($known, $user);
  148. echo 'test case 6:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  149.  . 'result: ' . var_export($result, true) . '<br>'
  150.  . 'user string: (boolean false)<br><br>';
  151.  
  152. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!