From 5712cbdcec3bc888083a241ba843d419152b54f0 Mon Sep 17 00:00:00 2001
From: Tom Klingenberg <tklingenberg@lastflood.net>
Date: Mon, 22 Jul 2013 20:21:56 +0200
Subject: [PATCH 1/3] Update data in U*_P*_Imp*_SHA256Test::provideTestDetect()

The test-data-provider provideTestDetect() is missing to provide a
hash that contains characters in the salt out of the base64
range.

Previously only data with salts in the base64 range was provided.
This had left non-base64 ranged salts untested.

Steps done:

- A valid SHA256 hash containing characters in the salt out of the
  base64 range has been added.

For reference the following script shows the hash, what's its
plain is and that it verifies:

    <?php

    $plain  = 'hello';
    $hash   = '$5$' . "\xE4\"|\xF5|\x08\xC8'\xF054:>\x13\xCB\xED"
              . "\$6I5JMX./GN9KGHTtvHwvp3mxkNv/Ni7/jomOEBgsiM.";

    $verify = $hash === crypt($plain, $hash);
    if (!$verify) {
        throw new RuntimeException('PHP crypt() failure.');
    }

    echo "OK";

https://eval.in/38389
---
 test/Unit/Password/Implementation/SHA256Test.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Unit/Password/Implementation/SHA256Test.php b/test/Unit/Password/Implementation/SHA256Test.php
index 120d88c..8a9c809 100644
--- a/test/Unit/Password/Implementation/SHA256Test.php
+++ b/test/Unit/Password/Implementation/SHA256Test.php
@@ -20,7 +20,7 @@ public static function provideTestDetect() {
             array('$2$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi', false),
             array(SHA256::getPrefix() . '07$usesome illystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi', false),
             array(SHA256::getPrefix() . '01$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi', false),
-
+            array(SHA256::getPrefix() . "\xE4\"|\xF5|\x08\xC8'\xF054:>\x13\xCB\xED\$6I5JMX./GN9KGHTtvHwvp3mxkNv/Ni7/jomOEBgsiM.", true)
         );
     }
 

From c32b1cdcef30ec1e45e1e3024a7db68d501c2c17 Mon Sep 17 00:00:00 2001
From: Tom Klingenberg <tklingenberg@lastflood.net>
Date: Mon, 22 Jul 2013 20:23:17 +0200
Subject: [PATCH 2/3] Update data in U*_P*_Imp*_SHA512Test::provideTestDetect()

The test-data-provider provideTestDetect() is missing to provide a
hash that contains characters in the salt out of the base64
range.

Previously only data with salts in the base64 range was provided.
This had left non-base64 ranged salts untested.

Steps done:

- A valid SHA512 hash containing characters in the salt out of the
  base64 range has been added.

For reference the following script shows the hash, what's its
plain is and that it verifies:

    <?php

    $plain  = 'hello';
    $hash   = '$6$' . "\xC2?<j\x9A\xE0\xC4\xFCK\x8F\xFD\x87csaO" .
              "\$Oca/TbK.iCdURjqXCnoIyDNggbVF1FWwjxxUYRuYm6HAPP" .
              "mQSDxWa3fSgzcPsTyVdjBv4JLBlj4c13YLOpP5f/";

    $verify = $hash === crypt($plain, $hash);
    if (!$verify) {
        throw new RuntimeException('PHP crypt() failure.');
    }

    echo "OK";

https://eval.in/38390
---
 test/Unit/Password/Implementation/SHA512Test.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Unit/Password/Implementation/SHA512Test.php b/test/Unit/Password/Implementation/SHA512Test.php
index ff4274d..3cb34d2 100644
--- a/test/Unit/Password/Implementation/SHA512Test.php
+++ b/test/Unit/Password/Implementation/SHA512Test.php
@@ -20,7 +20,7 @@ public static function provideTestDetect() {
             array('$2$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi', false),
             array(SHA512::getPrefix() . '07$usesome illystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi', false),
             array(SHA512::getPrefix() . '01$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi', false),
-
+            array(SHA512::getPrefix() . "\xC2?<j\x9A\xE0\xC4\xFCK\x8F\xFD\x87csaO\$Oca/TbK.iCdURjqXCnoIyDNggbVF1FWwjxxUYRuYm6HAPPmQSDxWa3fSgzcPsTyVdjBv4JLBlj4c13YLOpP5f/", true),
         );
     }
 

From 1d3a4880c9c9ac79653284587af3e94a77694af6 Mon Sep 17 00:00:00 2001
From: Tom Klingenberg <tklingenberg@lastflood.net>
Date: Tue, 23 Jul 2013 21:34:27 +0200
Subject: [PATCH 3/3] SHA256/SHA512 low-byte salts for tests

The test-data used in the imlementations:

 - Unit_Password_Implementation_SHA256Test
 - Unit_Password_Implementation_SHA512Test

did only contain salts inside the base64 range. That did
left non-base64 data for salts untested.

This patch adds hash strings that are using a salt
of 16 times chr(1) instead of chr(0). Both in the mock
of the random generator as well as in test-data.
---
 test/Unit/Password/Implementation/SHA256Test.php | 8 ++++----
 test/Unit/Password/Implementation/SHA512Test.php | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/test/Unit/Password/Implementation/SHA256Test.php b/test/Unit/Password/Implementation/SHA256Test.php
index 8a9c809..636a6d3 100644
--- a/test/Unit/Password/Implementation/SHA256Test.php
+++ b/test/Unit/Password/Implementation/SHA256Test.php
@@ -26,9 +26,9 @@ public static function provideTestDetect() {
 
     public static function provideTestCreate() {
         return array(
-            array(1000, 'foo', SHA256::getPrefix() . 'rounds=1000$................$expjG7P4AN4svmCMHxzkAc.s8gNGp0fu4bYVVY8iQo1'),
-            array(1000, 'bar', SHA256::getPrefix() . 'rounds=1000$................$NYlBKYVTrvSD1CYbsBDngbAm7kyAJk/D9XX.3528r05'),
-            array(1000, 'baz', SHA256::getPrefix() . 'rounds=1000$................$sN32z5PIeyCOerA52tXRmNvbdcwPd/FqWAmZelaX9z6'),
+            array(1000, 'foo', SHA256::getPrefix() . "rounds=1000\$\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\$AaIctt3o2mZFLme8WGmPB4yQUd7uV7PT7spV8CJvXA1"),
+            array(1000, 'bar', SHA256::getPrefix() . "rounds=1000\$\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\$3MGN/aM/1YdTG3AV4IyJq5QEM6zNBDDaLh.rGS/nHI8"),
+            array(1000, 'baz', SHA256::getPrefix() . "rounds=1000\$\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\$BhLh/zh5GXbIIqmxFpzISUtZbRy9bhefHr9pc.4ri3A"),
         );
     }
 
@@ -149,7 +149,7 @@ public function testVerifyFailException($iterations, $pass, $expect) {
 
     protected function getSHA256MockInstance($iterations) {
         $gen = $this->getRandomGenerator(function($size) {
-            return str_repeat(chr(0), $size);
+            return str_repeat(chr(1), $size);
         });
         return new SHA256(array('rounds' => $iterations), $gen);
     }
diff --git a/test/Unit/Password/Implementation/SHA512Test.php b/test/Unit/Password/Implementation/SHA512Test.php
index 3cb34d2..ee8ce17 100644
--- a/test/Unit/Password/Implementation/SHA512Test.php
+++ b/test/Unit/Password/Implementation/SHA512Test.php
@@ -26,9 +26,9 @@ public static function provideTestDetect() {
 
     public static function provideTestCreate() {
         return array(
-            array(1000, 'foo', SHA512::getPrefix() . 'rounds=1000$................$DzEAWetj/cXAPD/tGmEgpqyosAIZjLaRQI5DKcZYKSGFbk.mGzvRkDy3skMGqnkS4jRvrFjObXjiv.i5Bnob41'),
-            array(1000, 'bar', SHA512::getPrefix() . 'rounds=1000$................$lKPnJbXtGAHAid5g7OPcHO3GZjaKv4osoaSPnNAq./mZ4dyGoq9IbAG8d9fcTJ1cxvEALMPki.mbzmNEHjY9b1'),
-            array(1000, 'baz', SHA512::getPrefix() . 'rounds=1000$................$WZTe6NH6a0MA4vcOjJ9nKZP2hLvr9GhPvYqlOargbJNpzQaluc5sEe.Ep/PF2D79haaMPsFRGsnA2YEW3d7wx1'),
+            array(1000, 'foo', SHA512::getPrefix() . "rounds=1000\$\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\$5yUq/cJAngIZ0sWBdbZ50jTCUDrMwA08nvnCWUiaCsi6PEuPaUoY8K7MS8IbLj8uE640rjnIF84x1ayZ5UDbq/"),
+            array(1000, 'bar', SHA512::getPrefix() . "rounds=1000\$\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\$CtKbNszU3gfdh4/aF/V5RNT2a8qljIs9JTINsFConxEvFO3ubFxUqojuOzxCPtqNtdkko/CYO3IGaiAn7ZxE20"),
+            array(1000, 'baz', SHA512::getPrefix() . "rounds=1000\$\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\$O6m4HWAD6AJo9oSPerzqDlBtGYQytvvtdz98lDwjxOmnlmZodLgtntMYN5l45qfWX54CqDJeS6AGQwXRh2/Ap."),
         );
     }
 
@@ -150,7 +150,7 @@ public function testVerifyFailException($iterations, $pass, $expect) {
 
     protected function getSHA512MockInstance($iterations) {
         $gen = $this->getRandomGenerator(function($size) {
-            return str_repeat(chr(0), $size);
+            return str_repeat(chr(1), $size);
         });
         return new SHA512(array('rounds' => $iterations), $gen);
     }