Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Here are my test results:
- (Strings are displayed base64 encoded)
- known string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
- rounds: 5,000,000
- test case 1:
- 70,204 ms
- result: false
- user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNOyw==
- test case 2:
- 70,592 ms
- result: false
- user string: tKTxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
- test case 3:
- 70,952 ms
- result: false
- user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/Zg=
- test case 4:
- 71,310 ms
- result: false
- user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONEuk8bXLZjrky6NaST5MIjRJ5s1me/OApG5AnwzFrv2YKDesuAwhpfEWHran1jH1FV/djjKnMCl0UFvAj41TTjQ=
- test case 5:
- 70,842 ms
- result: true
- user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
- test case 6:
- 74,676 ms
- result: false
- user string: (boolean false)
- And the code to reproduce the results:
- <?php
- set_time_limit(0);
- $rounds = 5000000;
- $known = mcrypt_create_iv(64);
- /**
- * test case 1:
- * same length, last byte inverted
- */
- $user = substr($known, 0, 63) . (substr($known, 63, 1) ^ chr(255));
- $microtime_start = microtime(true);
- hash_equals($known, $user);
- $microtime_end = microtime(true);
- echo 'known string: ' . base64_encode($known) . '<br>';
- echo 'rounds: ' . number_format($rounds) . '<br><br>';
- $microtime_start = microtime(true);
- for ($i = 0; $i < $rounds; $i++) {
- hash_equals($known, $user);
- }
- $microtime_end = microtime(true);
- $result = hash_equals($known, $user);
- echo 'test case 1:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
- . 'result: ' . var_export($result, true) . '<br>'
- . 'user string: ' . base64_encode($user) . '<br><br>';
- /**
- * test case 2:
- * same length, first byte inverted
- */
- $user = (substr($known, 0, 1) ^ chr(255)) . substr($known, 1, 63);
- $microtime_start = microtime(true);
- for ($i = 0; $i < $rounds; $i++) {
- hash_equals($known, $user);
- }
- $microtime_end = microtime(true);
- $result = hash_equals($known, $user);
- echo 'test case 2:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
- . 'result: ' . var_export($result, true) . '<br>'
- . 'user string: ' . base64_encode($user) . '<br><br>';
- /**
- * test case 3:
- * user string is shorter
- */
- $user = substr($known, 0, 32);
- $microtime_start = microtime(true);
- for ($i = 0; $i < $rounds; $i++) {
- hash_equals($known, $user);
- }
- $microtime_end = microtime(true);
- $result = hash_equals($known, $user);
- echo 'test case 3:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
- . 'result: ' . var_export($result, true) . '<br>'
- . 'user string: ' . base64_encode($user) . '<br><br>';
- /**
- * test case 4:
- * user string is longer
- */
- $user = $known . $known;
- $microtime_start = microtime(true);
- for ($i = 0; $i < $rounds; $i++) {
- hash_equals($known, $user);
- }
- $microtime_end = microtime(true);
- $result = hash_equals($known, $user);
- echo 'test case 4:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
- . 'result: ' . var_export($result, true) . '<br>'
- . 'user string: ' . base64_encode($user) . '<br><br>';
- /**
- * test case 5:
- * user string equals the known string
- */
- $user = $known;
- $microtime_start = microtime(true);
- for ($i = 0; $i < $rounds; $i++) {
- hash_equals($known, $user);
- }
- $microtime_end = microtime(true);
- $result = hash_equals($known, $user);
- echo 'test case 5:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
- . 'result: ' . var_export($result, true) . '<br>'
- . 'user string: ' . base64_encode($user) . '<br><br>';
- /**
- * test case 6:
- * user string is not a string
- */
- error_reporting(0);
- ini_set('display_startup_errors', 0);
- ini_set('display_errors', 0);
- ini_set('log_errors', 0);
- ini_set('report_memleaks', 0);
- ini_set('track_errors', 0);
- $user = false;
- $microtime_start = microtime(true);
- for ($i = 0; $i < $rounds; $i++) {
- hash_equals($known, $user);
- }
- $microtime_end = microtime(true);
- $result = hash_equals($known, $user);
- echo 'test case 6:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
- . 'result: ' . var_export($result, true) . '<br>'
- . 'user string: (boolean false)<br><br>';
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement