Hash function that works the same on ColdFusion MX7 and PHP 5.x?

I am working on an old ColdFusion MX7 site. They want to implement a "salted hash" password system. But for a while in the next year or so, they plan to build a completely new PHP site and don't want to have to reset (lose) all the passwords.

So I am looking for code that will work on both platforms.

I'm new to this, but as far as I can tell, the next two blocks of code should do the same. However, they give different results. Anyone have to help?

COLDFUSION CODE:

    <cffunction name="computeHash" access="public" returntype="String">
        <cfargument name="password" type="string" />
        <cfargument name="salt" type="string" />
        <cfargument name="iterations" type="numeric" required="false" default="1024" />
        <cfargument name="algorithm" type="string" required="false" default="SHA-1" />
        <cfscript>
            var hashed = '';
            hashed = hash( password & salt, arguments.algorithm, 'UTF-8' );
        </cfscript>
        <cfloop from="1" to="#iterations#" index="i">
            <cfscript>
                hashed = hash( hashed & salt, arguments.algorithm, 'UTF-8' );
            </cfscript>
        </cfloop>
    </cffunction>

      

PHP CODE:

    function computeHash($password,$salt)
    {
        $hashed = '';
        $hashed = hash('sha1', $password . $salt);
        for ($i = 1; $i <= 1024; $i++) 
        {
            $hashed = hash('sha1', $hashed . $salt);
        }
        echo $hashed;
    }

      

UPDATE 1: Thanks for your responses! Using the password "p @ ssW0rd" and the salt "JjXSROiYyKkxNzTklaiErQ ==" generates the following results:

ColdFusion:

code part 1:

hashed = hash( password & salt, arguments.algorithm, 'UTF-8' );

      

generates:

A0A8DE3A3B2A8BFD74766EEE126950F4462D3BCB

      

code part 2:

hash( hashed & salt, arguments.algorithm, 'UTF-8' );

      

generates:

CFF9B75918B75761B5568854782CD709B2941637

      

PHP:

code part 1:

$hashed = hash('sha1', $password . $salt);

      

generates:

A0A8DE3A3B2A8BFD74766EEE126950F4462D3BCB

      

code part 2:

hash('sha1', $hashed . $salt);

      

generates:

e955404423747ec706561fa9a319ddac47194a65

      

As you can see, the first time the outputs are the same. But when I hash again, they don't match anymore. I am embarrassed.

+3


source to share


3 answers


ColdFusion generates A0A8DE3A3B2A8BFD74766EEE126950F4462D3BCB

and PHP generates A0A8DE3A3B2A8BFD74766EEE126950F4462D3BCB

As you can see, the first time the outputs match.



These lines are not identical. You need to turn them both into the same case - I would use strtoupper()

for the PHP generated result.

+11


source


The Adobe documentation for the CF function hash

does not display "SHA-1"

as a valid value for the parameter algorithm

. I guess you should go through "SHA"

instead.



0


source


@DCoder nailed it. The problem was that ColdFusion was outputting all uppercase letters while PHP was outputting all lowercase letters. So using strtoupper () in PHP code made them work the same way. Also, SHA-512 seems to be supported in CF7 and PHP 5, so I'm moving on to that algorithm. I've included and updated the CF and PHP code below for future reference. :)

COLDFUSION CODE (unchanged):

<cffunction name="computeHash" access="public" returntype="String">
    <cfargument name="password" type="string" />
    <cfargument name="salt" type="string" />
    <cfargument name="iterations" type="numeric" required="false" default="1024" />
    <cfargument name="algorithm" type="string" required="false" default="SHA-512" />
    <cfscript>
        var hashed = '';
        hashed = hash( password & salt, arguments.algorithm, 'UTF-8' );
    </cfscript>
    <cfloop from="1" to="#iterations#" index="i">
        <cfscript>
            hashed = hash( hashed & salt, arguments.algorithm, 'UTF-8' );
        </cfscript>
    </cfloop>
</cffunction>

      

PHP CODE (with added strtoupper () and new algorithm):

function computeHash($password,$salt)
{
    $algorithm = 'sha512';
    $hashed = '';
    $hashed = strtoupper(hash($algorithm, $password . $salt));
    for ($i = 1; $i <= 1024; $i++) 
    {
            $hashed = strtoupper(hash($algorithm, $hashed . $salt));
    }
    echo $hashed';
}

      

0


source







All Articles