Power By 专否社区

hash function that works identically on ColdFusion MX7 and PHP 5.x?

Go To StackoverFlow.com

3

I am working on a legacy ColdFusion MX7 site. They want to implement a "salted hash" password system. But some time in the next year or so they plan to build a completely new PHP site and don't want to have to reset (lose) all the passwords.

So I'm looking for some code that will work on both platforms.

I'm new to this, but as far as I can tell, the following two blocks of code should do the same thing. However, they produce different results. Anyone care to help?

COLDFUSION CODE:

    <cffunction name="computeHash" access="public" returntype="String">
        <cfargument name="password" type="string" />
        <cfargument name="salt" type="string" />
        <cfargument name="iterations" type="numeric" required="false" default="1024" />
        <cfargument name="algorithm" type="string" required="false" default="SHA-1" />
        <cfscript>
            var hashed = '';
            hashed = hash( password & salt, arguments.algorithm, 'UTF-8' );
        </cfscript>
        <cfloop from="1" to="#iterations#" index="i">
            <cfscript>
                hashed = hash( hashed & salt, arguments.algorithm, 'UTF-8' );
            </cfscript>
        </cfloop>
    </cffunction>

PHP CODE:

    function computeHash($password,$salt)
    {
        $hashed = '';
        $hashed = hash('sha1', $password . $salt);
        for ($i = 1; $i <= 1024; $i++) 
        {
            $hashed = hash('sha1', $hashed . $salt);
        }
        echo $hashed;
    }

UPDATE 1: Thanks for your replies! Using a password of "p@ssW0rd", and a salt of "JjXSROiYyKkxNzTklaiErQ==" generates the following results:

COLDFUSION:

code, part 1: 

hashed = hash( password & salt, arguments.algorithm, 'UTF-8' );

generates: 

A0A8DE3A3B2A8BFD74766EEE126950F4462D3BCB

code, part 2:

hash( hashed & salt, arguments.algorithm, 'UTF-8' );

generates:

CFF9B75918B75761B5568854782CD709B2941637

PHP:

code, part 1: 

$hashed = hash('sha1', $password . $salt);

generates: 

a0a8de3a3b2a8bfd74766eee126950f4462d3bcb

code, part 2:

hash('sha1', $hashed . $salt);

generates:

e955404423747ec706561fa9a319ddac47194a65

As you can see, the first time around, the outputs match. But when I re-hash, they no longer match. I'm confused.

2012-04-05 22:31
by user1316401
Test which one is the wrong one. http://www.sha1-online.com/; Perhaps you can print out the result for each iterations (you probably don't need 1024, 2 will suffice) - j13r 2012-04-05 22:35
how are they different? Could you post an example of inputs and outputs - ryber 2012-04-05 23:49
Also, does it produce the same result if you just do it once, take out the looping part - ryber 2012-04-05 23:51
Based on your outputs, it seems you just need to run strtoupper() on PHP's hash() result - DCoder 2012-04-06 04:38
I updated my post to include examples of inputs and outputs without any looping. Thanks - user1316401 2012-04-06 04:38
DCoder, I think you nailed it - user1316401 2012-04-06 04:39
I'll post the updated/working code in a bit, the site isn't allowing me to answer my own question until it's been 8 hours since I asked it.... - user1316401 2012-04-06 04:52
@user1316401 - So what cracked it, DCoder's suggestion of using upper case? If so maybe he should should post it as an answer. You could upvote as thanks for the assist :) Though seeing the final code would be great too - Leigh 2012-04-06 05:00
Yes, DCoder's suggestion fixed it completely. I have a complete answer typed, with the updated code, but I'm not allowed to post it yet. Sorry. Will post ASAP - user1316401 2012-04-06 05:13
user 1316401 - Sounds good. @DCoder - you should post your suggestion as an answer since it did the trick - Leigh 2012-04-06 05:18
Apparently new users can't upvote anything, or mark their own answers as "answers". Anyway, thanks again to @DCoder, and I hope my updated code helps someone else in future. : - user1316401 2012-04-06 16:00

11

ColdFusion generates A0A8DE3A3B2A8BFD74766EEE126950F4462D3BCB

, and PHP generates a0a8de3a3b2a8bfd74766eee126950f4462d3bcb

As you can see, the first time around, the outputs match.

Those strings are not identical. You need to turn them both to the same case - I would use strtoupper() on PHP's generated result.

2012-04-06 05:22
by DCoder

0

Adobe's documentation for CF's hash function does not list "SHA-1" as a valid value for the algorithm parameter. I guess you should be passing "SHA" instead.

2012-04-05 22:43
by Josh
I think SHA is just an alias for SHA-1Leigh 2012-04-05 23:25
Leigh is right, you can also say SHA-1, it works fine. Actually if you look at the documentation for encrypt it lists "SHA-1" and not "SHA" - ryber 2012-04-05 23:54
I was just going by what the doc said, but it wouldn't be the first undocumented feature in CF - Josh 2012-04-06 00:24

0

@DCoder nailed it. The problem was that ColdFusion was outputting all upper case, whereas PHP was outputting all lower case. So, using strtoupper() in the PHP code made them work identically. Also, SHA-512 seems to be supported in CF7 and PHP 5, so I'm switching to that algorithm. I'm including both the updated CF and PHP code below for future reference. :)

COLDFUSION CODE (unchanged except for algorithm):

<cffunction name="computeHash" access="public" returntype="String">
    <cfargument name="password" type="string" />
    <cfargument name="salt" type="string" />
    <cfargument name="iterations" type="numeric" required="false" default="1024" />
    <cfargument name="algorithm" type="string" required="false" default="SHA-512" />
    <cfscript>
        var hashed = '';
        hashed = hash( password & salt, arguments.algorithm, 'UTF-8' );
    </cfscript>
    <cfloop from="1" to="#iterations#" index="i">
        <cfscript>
            hashed = hash( hashed & salt, arguments.algorithm, 'UTF-8' );
        </cfscript>
    </cfloop>
</cffunction>

PHP CODE (with strtoupper() added and new algorithm):

function computeHash($password,$salt)
{
    $algorithm = 'sha512';
    $hashed = '';
    $hashed = strtoupper(hash($algorithm, $password . $salt));
    for ($i = 1; $i <= 1024; $i++) 
    {
            $hashed = strtoupper(hash($algorithm, $hashed . $salt));
    }
    echo $hashed';
}
2012-04-06 15:59
by user1316401
"@DCoder nailed it" ... Then you should have selected his as the accepted answer so they could get the appropriate reward for getting it right. Just sayin'.. - Justin Scott 2012-05-14 16:04
see previous commen - Stofke 2012-09-07 15:18
Ads