Guest User

hash_equals test results

a guest
Sep 4th, 2014
2,146
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Here are my test results:
  2.  
  3. (Strings are displayed base64 encoded)
  4.  
  5. known string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
  6. rounds: 5,000,000
  7.  
  8. test case 1:
  9. 70,204 ms
  10. result: false
  11. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNOyw==
  12.  
  13. test case 2:
  14. 70,592 ms
  15. result: false
  16. user string: tKTxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
  17.  
  18. test case 3:
  19. 70,952 ms
  20. result: false
  21. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/Zg=
  22.  
  23. test case 4:
  24. 71,310 ms
  25. result: false
  26. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONEuk8bXLZjrky6NaST5MIjRJ5s1me/OApG5AnwzFrv2YKDesuAwhpfEWHran1jH1FV/djjKnMCl0UFvAj41TTjQ=
  27.  
  28. test case 5:
  29. 70,842 ms
  30. result: true
  31. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
  32.  
  33. test case 6:
  34. 74,676 ms
  35. result: false
  36. user string: (boolean false)
  37.  
  38. And the code to reproduce the results:
  39.  
  40. <?php
  41.  
  42. set_time_limit(0);
  43.  
  44. $rounds = 5000000;
  45. $known = mcrypt_create_iv(64);
  46.  
  47. /**
  48.  * test case 1:
  49.  * same length, last byte inverted
  50.  */
  51. $user = substr($known, 0, 63) . (substr($known, 63, 1) ^ chr(255));
  52.  
  53. $microtime_start = microtime(true);
  54. hash_equals($known, $user);
  55. $microtime_end = microtime(true);
  56. echo 'known string: ' . base64_encode($known) . '<br>';
  57. echo 'rounds: ' . number_format($rounds) . '<br><br>';
  58.  
  59. $microtime_start = microtime(true);
  60. for ($i = 0; $i < $rounds; $i++) {
  61.     hash_equals($known, $user);
  62. }
  63. $microtime_end = microtime(true);
  64. $result = hash_equals($known, $user);
  65. echo 'test case 1:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  66.  . 'result: ' . var_export($result, true) . '<br>'
  67.  . 'user string: ' . base64_encode($user) . '<br><br>';
  68.  
  69. /**
  70.  * test case 2:
  71.  * same length, first byte inverted
  72.  */
  73. $user = (substr($known, 0, 1) ^ chr(255)) . substr($known, 1, 63);
  74. $microtime_start = microtime(true);
  75. for ($i = 0; $i < $rounds; $i++) {
  76.     hash_equals($known, $user);
  77. }
  78. $microtime_end = microtime(true);
  79. $result = hash_equals($known, $user);
  80. echo 'test case 2:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  81.  . 'result: ' . var_export($result, true) . '<br>'
  82.  . 'user string: ' . base64_encode($user) . '<br><br>';
  83.  
  84. /**
  85.  * test case 3:
  86.  * user string is shorter
  87.  */
  88. $user = substr($known, 0, 32);
  89. $microtime_start = microtime(true);
  90. for ($i = 0; $i < $rounds; $i++) {
  91.     hash_equals($known, $user);
  92. }
  93. $microtime_end = microtime(true);
  94. $result = hash_equals($known, $user);
  95. echo 'test case 3:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  96.  . 'result: ' . var_export($result, true) . '<br>'
  97.  . 'user string: ' . base64_encode($user) . '<br><br>';
  98.  
  99. /**
  100.  * test case 4:
  101.  * user string is longer
  102.  */
  103. $user = $known . $known;
  104.  
  105. $microtime_start = microtime(true);
  106. for ($i = 0; $i < $rounds; $i++) {
  107.     hash_equals($known, $user);
  108. }
  109. $microtime_end = microtime(true);
  110. $result = hash_equals($known, $user);
  111. echo 'test case 4:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  112.  . 'result: ' . var_export($result, true) . '<br>'
  113.  . 'user string: ' . base64_encode($user) . '<br><br>';
  114.  
  115. /**
  116.  * test case 5:
  117.  * user string equals the known string
  118.  */
  119. $user = $known;
  120.  
  121. $microtime_start = microtime(true);
  122. for ($i = 0; $i < $rounds; $i++) {
  123.     hash_equals($known, $user);
  124. }
  125. $microtime_end = microtime(true);
  126. $result = hash_equals($known, $user);
  127. echo 'test case 5:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  128.  . 'result: ' . var_export($result, true) . '<br>'
  129.  . 'user string: ' . base64_encode($user) . '<br><br>';
  130.  
  131. /**
  132.  * test case 6:
  133.  * user string is not a string
  134.  */
  135. error_reporting(0);
  136. ini_set('display_startup_errors', 0);
  137. ini_set('display_errors', 0);
  138. ini_set('log_errors', 0);
  139. ini_set('report_memleaks', 0);
  140. ini_set('track_errors', 0);
  141. $user = false;
  142. $microtime_start = microtime(true);
  143. for ($i = 0; $i < $rounds; $i++) {
  144.     hash_equals($known, $user);
  145. }
  146. $microtime_end = microtime(true);
  147. $result = hash_equals($known, $user);
  148. echo 'test case 6:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  149.  . 'result: ' . var_export($result, true) . '<br>'
  150.  . 'user string: (boolean false)<br><br>';
  151.  
  152. ?>
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×