I found that one of our programs uses an sha256 implementation, that produces different hashes for same inputs, compared to standard libraries (in this case compared to node:crypto and Web Crypto API.
The hashes are different for characters, that are part of "later" blocks of the Unicode (for example emoticons).
The implementation is used
Are there any implications by this?
The hashes are different for characters, that are part of "later" blocks of the Unicode (for example emoticons).
SHA-256 does not operate on characters but on bytes. Based on your description a wrong encoding of characters to bytes is done, either by the caller of the function (i.e. wrong use) or in the function itself.
Are there any implications by this?
Of course, functionality might break, like the right password is not accepted or script is not executed since it has the wrong hash for integrity checks. And one can surely construct situations, where such broken functionality will impact security - but this is true for functionality broken for other reasons too.
But, there are no direct security implementations from the use of the wrong encoding. The hash function is still as secure as before, it only produces a different value. This is similar to adding a fixed string to each input - different output but no more or less secure than before.
