Online PHP editor | output for OCBiU

<?php function shitmac_xor(string $str, int $with){ $ret = ""; for($i=0,$imax=strlen($str);$i<$imax;++$i){ $ret .= chr( ord($str[$i]) ^ $with ); } return $ret; } function shitmac(string $key, string $message, string $hash_algorithm = "SHA1", int $hash_algorithm_block_size = 64, int $hash_algorithm_output_size = 20){ if(strlen($key) > $hash_algorithm_block_size){ // this is probably a bad idea, but php is doing it anyway. // > RFC 2104 requires that "keys longer than B bytes are first hashed using H" which leads to a confusing pseudo-collision: if the key is longer than the hash block size (e.g. 64 characters for SHA-1), then HMAC(k, m) is computed as HMAC(H(k), m).This property is sometimes raised as a possible weakness of HMAC in password-hashing scenarios: it has been demonstrated that it's possible to find a long ASCII string and a random value whose hash will be also an ASCII string, and both values will produce the same HMAC output. // die("TODO: hash(hash_algo, key"); $key = hash($hash_algorithm, $key, true); } if(strlen($key) < $hash_algorithm_block_size){ // die("TODO: key=str_pad(key,x00,block_size,pad_left"); $key = str_pad($key, $hash_algorithm_block_size, "\x00", STR_PAD_RIGHT); } $o_key_pad = shitmac_xor($key, 0x5C); $i_key_pad = shitmac_xor($key, 0x36); $ret = hash($hash_algorithm, $i_key_pad.$message, true); $ret = hash($hash_algorithm, $o_key_pad . $ret, true); return $ret; } $hash_algorithm = "SHA1"; $hash_algorithm_block_size = 64; $hash_algorithm_output_size = 20; $results=[]; for($i=0;$i<100;++$i){ $key=str_repeat("\x00", $i); $message = "Hello World".random_bytes($i); $hmac = hash_hmac($hash_algorithm, $message, $key, true); $shitmac = shitmac($key, $message, $hash_algorithm, $hash_algorithm_block_size, $hash_algorithm_output_size); if($hmac === $shitmac){ echo "{$i}: success!\n"; }else{ var_dump($i,$hmac,$shitmac); die("ERROR!"); } }