Bug #64211 [Nab]: sha256 hashes "#", "&", and "+" incorrectly.

[pwormer at science dot ru dot nl]

Edit report at https://bugs.php.net/bug.php?id=64211&edit=1

 ID:                 64211
 User updated by:    pwormer at science dot ru dot nl
 Reported by:        pwormer at science dot ru dot nl
 Summary:            sha256 hashes "#", "&", and  "+" incorrectly.
 Status:             Not a bug
 Type:               Bug
 Package:            hash related
 Operating System:   windows/linux
 PHP Version:        5.4.11
 Block user comment: N
 Private report:     N

 New Comment:

I call PHP from JS through XMLHttp.open("GET", "SHA256.php?pswd="+pswd). Maybe 
the problem lies in XMLHttp?


Previous Comments:
------------------------------------------------------------------------
[2013-02-15 10:29:20] pwormer at science dot ru dot nl

Two more examples:

1. Password "a b" (no quotes, pswd contains three characters, middle one ASCII 
32):
JS-hashed password :  
c8687a08aa5d6ed2044328fa6a697ab8e96dc34291e8c2034ae8c38e6fcc6d65
PHP-hashed password:  
c8687a08aa5d6ed2044328fa6a697ab8e96dc34291e8c2034ae8c38e6fcc6d65

2. Password "a#b" (no quotes, pswd contains three characters, middle one ASCII 
35):
JS-hashed password : 
8187fc8f7f007036dffc199544b33167632c7739733785bbdec0fbb9a2c43ca1
PHP-hashed password: 
ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

My problem is the difference in hash between JavaScript and PHP that occurs if 
and only if the pswd contains anywhere #, & or +. By looking at PHP alone this 
problem cannot be solved.

------------------------------------------------------------------------
[2013-02-14 21:38:29] s...@php.net

s/expecting/getting

------------------------------------------------------------------------
[2013-02-14 21:37:50] s...@php.net

Can't reproduce on 32 or 64 bit Linux:
$ php53 -r 'echo hash("sha256", "#") . "\n";'
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b
$ php54 -r 'echo hash("sha256", "#") . "\n";'
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b

Is it coincidence that "" (an empty string) gives the hash you are expecting 
for 
"#".

$ php53 -r 'echo hash("sha256", "") . "\n";'
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
$ php54 -r 'echo hash("sha256", "") . "\n";'
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

------------------------------------------------------------------------
[2013-02-14 11:05:56] pwormer at science dot ru dot nl

Description:
------------
The JavaScript functions at:

http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/sha256.js

and 

http://www.movable-type.co.uk/scripts/sha256.html

give the same hash for any password  of any length consisting of ASCII 32 
through 128.  Almost always the hash is the same as obtained from PHP:  
hash("sha256", $pswd).

Exceptions (bugs?) are passwords containing one or more of the three characters:
"#" (number sign), "&" (ampersand), or "+" (plus sign).

Tested with XAMPP (PHP 5.4.7), FireFox and Chrome and Linux server.

Test script:
---------------
See http://www.theochem.ru.nl/~pwormer/sha256bug.php

This URL calls SHA256.php which contains the following four lines

<?php
$pswd = $_GET["pswd"];
echo hash("sha256", $pswd);
?>    

Expected result:
----------------
I expect JavaScript and PHP to give same Sha-256 hashes

Actual result:
--------------
Hash of # (single character):

JS:  334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b
PHP: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=64211&edit=1