Why does the following code return different HMAC values?
$a = 1234567890000 * 1234567890000;
$b = gmp_mul("1234567890000", "1234567890000");
$b = gmp_strval($b);
echo $a, "<br/>", $b, "<br/>";
$c = 2525;
echo ($a == $b) . "<br/>";
echo hash_hmac("SHA512", $a, $c), "<br/>";
echo hash_hmac("SHA512", $b, $c);
The output is the following.
1.5241578750191E+24
1524157875019052100000000
1
973967436d3562150d60769b70a9010db21f89b114b9897430663dd195115b7893b9a6bd0e141cee301d23e2229afd6d39546630cd38f6fe7842073749f9ce3d
8bd1e7c837efaf8d51ed2d40354a020ee3c9663aa6bd4425c02b21ed02343185070216d37e54478ee78332af8e6fdecd51445fcee8cb04d4e51e4cc31283f9a9
$a is equal to $b. I'm not sure what kind of error is causing this, or whether my logic is correct.
hmac_hash() should convert any input to a string and do its job.
When you compare $a and $b, the string inside $b is converted into an integer. Because the value is larger than what PHP can represent as an integer, it gets silently converted into a float instead. $a is a float. The floats are equal, which is why the compare succeeds.
hash_hmac converts the float in $a to a string instead of converting the string in $b into an integer which then overflows into a float. This is why the hashes differ.
If you want the compare to fail so that the behavior between it and hash_hmac is consistent, you'll want to cast $a into a string first or will want to use === to avoid converting data types.