Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
shitmac
<?php
function shitmac_xor(string $str, int $with){
$ret = "";
for($i=0,$imax=strlen($str);$i<$imax;++$i){
$ret .= chr( ord($str[$i]) ^ $with );
}
return $ret;
}
function shitmac(string $key, string $message, string $hash_algorithm = "SHA1",
int $hash_algorithm_block_size = 64, int $hash_algorithm_output_size = 20){
if(strlen($key) > $hash_algorithm_block_size){
// this is probably a bad idea, but php is doing it anyway.
// > RFC 2104 requires that "keys longer than B bytes are first hashed using H" which leads to a confusing pseudo-collision: if the key is longer than the hash block size (e.g. 64 characters for SHA-1), then HMAC(k, m) is computed as HMAC(H(k), m).This property is sometimes raised as a possible weakness of HMAC in password-hashing scenarios: it has been demonstrated that it's possible to find a long ASCII string and a random value whose hash will be also an ASCII string, and both values will produce the same HMAC output.
// die("TODO: hash(hash_algo, key");
$key = hash($hash_algorithm, $key, true);
}
if(strlen($key) < $hash_algorithm_block_size){
// die("TODO: key=str_pad(key,x00,block_size,pad_left");
$key = str_pad($key, $hash_algorithm_block_size, "\x00", STR_PAD_RIGHT);
}
$o_key_pad = shitmac_xor($key, 0x5C);
$i_key_pad = shitmac_xor($key, 0x36);
$ret = hash($hash_algorithm, $i_key_pad.$message, true);
$ret = hash($hash_algorithm, $o_key_pad . $ret, true);
return $ret;
}
$hash_algorithm = "SHA1";
$hash_algorithm_block_size = 64;
$hash_algorithm_output_size = 20;
$results=[];
for($i=1;$i<100;++$i){
$key=str_repeat("\x00", $i);
$message = "Hello World".random_bytes($i);
$hmac = hash_hmac($hash_algorithm, $message, $key, true);
$shitmac = shitmac($key, $message, $hash_algorithm, $hash_algorithm_block_size, $hash_algorithm_output_size);
if($hmac === $shitmac){
echo "{$i}: success!\n";
}else{
var_dump($i,$hmac,$shitmac);
die("ERROR!");
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment