SHARE
TWEET

hash_equals test results

a guest Sep 4th, 2014 1,782 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Here are my test results:
  2.  
  3. (Strings are displayed base64 encoded)
  4.  
  5. known string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
  6. rounds: 5,000,000
  7.  
  8. test case 1:
  9. 70,204 ms
  10. result: false
  11. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNOyw==
  12.  
  13. test case 2:
  14. 70,592 ms
  15. result: false
  16. user string: tKTxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
  17.  
  18. test case 3:
  19. 70,952 ms
  20. result: false
  21. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/Zg=
  22.  
  23. test case 4:
  24. 71,310 ms
  25. result: false
  26. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONEuk8bXLZjrky6NaST5MIjRJ5s1me/OApG5AnwzFrv2YKDesuAwhpfEWHran1jH1FV/djjKnMCl0UFvAj41TTjQ=
  27.  
  28. test case 5:
  29. 70,842 ms
  30. result: true
  31. user string: S6TxtctmOuTLo1pJPkwiNEnmzWZ784CkbkCfDMWu/ZgoN6y4DCGl8RYetqfWMfUVX92OMqcwKXRQW8CPjVNONA==
  32.  
  33. test case 6:
  34. 74,676 ms
  35. result: false
  36. user string: (boolean false)
  37.  
  38. And the code to reproduce the results:
  39.  
  40. <?php
  41.  
  42. set_time_limit(0);
  43.  
  44. $rounds = 5000000;
  45. $known = mcrypt_create_iv(64);
  46.  
  47. /**
  48.  * test case 1:
  49.  * same length, last byte inverted
  50.  */
  51. $user = substr($known, 0, 63) . (substr($known, 63, 1) ^ chr(255));
  52.  
  53. $microtime_start = microtime(true);
  54. hash_equals($known, $user);
  55. $microtime_end = microtime(true);
  56. echo 'known string: ' . base64_encode($known) . '<br>';
  57. echo 'rounds: ' . number_format($rounds) . '<br><br>';
  58.  
  59. $microtime_start = microtime(true);
  60. for ($i = 0; $i < $rounds; $i++) {
  61.     hash_equals($known, $user);
  62. }
  63. $microtime_end = microtime(true);
  64. $result = hash_equals($known, $user);
  65. echo 'test case 1:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  66.  . 'result: ' . var_export($result, true) . '<br>'
  67.  . 'user string: ' . base64_encode($user) . '<br><br>';
  68.  
  69. /**
  70.  * test case 2:
  71.  * same length, first byte inverted
  72.  */
  73. $user = (substr($known, 0, 1) ^ chr(255)) . substr($known, 1, 63);
  74. $microtime_start = microtime(true);
  75. for ($i = 0; $i < $rounds; $i++) {
  76.     hash_equals($known, $user);
  77. }
  78. $microtime_end = microtime(true);
  79. $result = hash_equals($known, $user);
  80. echo 'test case 2:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  81.  . 'result: ' . var_export($result, true) . '<br>'
  82.  . 'user string: ' . base64_encode($user) . '<br><br>';
  83.  
  84. /**
  85.  * test case 3:
  86.  * user string is shorter
  87.  */
  88. $user = substr($known, 0, 32);
  89. $microtime_start = microtime(true);
  90. for ($i = 0; $i < $rounds; $i++) {
  91.     hash_equals($known, $user);
  92. }
  93. $microtime_end = microtime(true);
  94. $result = hash_equals($known, $user);
  95. echo 'test case 3:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  96.  . 'result: ' . var_export($result, true) . '<br>'
  97.  . 'user string: ' . base64_encode($user) . '<br><br>';
  98.  
  99. /**
  100.  * test case 4:
  101.  * user string is longer
  102.  */
  103. $user = $known . $known;
  104.  
  105. $microtime_start = microtime(true);
  106. for ($i = 0; $i < $rounds; $i++) {
  107.     hash_equals($known, $user);
  108. }
  109. $microtime_end = microtime(true);
  110. $result = hash_equals($known, $user);
  111. echo 'test case 4:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  112.  . 'result: ' . var_export($result, true) . '<br>'
  113.  . 'user string: ' . base64_encode($user) . '<br><br>';
  114.  
  115. /**
  116.  * test case 5:
  117.  * user string equals the known string
  118.  */
  119. $user = $known;
  120.  
  121. $microtime_start = microtime(true);
  122. for ($i = 0; $i < $rounds; $i++) {
  123.     hash_equals($known, $user);
  124. }
  125. $microtime_end = microtime(true);
  126. $result = hash_equals($known, $user);
  127. echo 'test case 5:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  128.  . 'result: ' . var_export($result, true) . '<br>'
  129.  . 'user string: ' . base64_encode($user) . '<br><br>';
  130.  
  131. /**
  132.  * test case 6:
  133.  * user string is not a string
  134.  */
  135. error_reporting(0);
  136. ini_set('display_startup_errors', 0);
  137. ini_set('display_errors', 0);
  138. ini_set('log_errors', 0);
  139. ini_set('report_memleaks', 0);
  140. ini_set('track_errors', 0);
  141. $user = false;
  142. $microtime_start = microtime(true);
  143. for ($i = 0; $i < $rounds; $i++) {
  144.     hash_equals($known, $user);
  145. }
  146. $microtime_end = microtime(true);
  147. $result = hash_equals($known, $user);
  148. echo 'test case 6:<br>' . number_format(($microtime_end - $microtime_start) * 1000) . ' ms<br>'
  149.  . 'result: ' . var_export($result, true) . '<br>'
  150.  . 'user string: (boolean false)<br><br>';
  151.  
  152. ?>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top