Hi, I want to modify a website-login-system (PHP) to check passwords which are deocoded with SSHA. My script should compare the clear password, which I get from a FORM, with the SSHA-hash of the password, which is in the database (MySQL). The dates in the MySQL-DB comes from a LDAP. This is my script:
<?php $password_sub = "test"; //Das Passwort erhalte ich über ein HTML-Formular $passsowrd_hash_db = base64_decode("e1NTSEF9aH...."); //Diesen base64-Hash erhalte ich aus der Datenbank. //Er wird gleich decodiert, da man daraus das $salt benötigt. //Dann hat er die Form {SSHA}hxtMi.... $salt = base64_decode(substr($passsowrd_hash_db , 32)); //Berechnung des $salt $hash = "{SSHA}" . base64_encode(pack("H*", sha1($password_sub.$salt)).$salt); ?>
But the script doesn't work, because the generated hash isn't the same as the hash from the database.
But I don't now, what's wrong?
May someone help me?
m@xx
Jack van Rock schrieb:
<?php $password_sub = "test"; $passsowrd_hash_db = base64_decode("e1NTSEF9aH...."); $salt = base64_decode(substr($passsowrd_hash_db , 32));
password format:
$pwd = "{SSHA}" . base64_encode( sha1( $pass . $salt, true) . $salt );
so just backtrace from there
// skip the "{SSHA}" $b64 = substr($ldap_entry, 6)
// base64 decoded $b64_dec = base64_decode($b64)
// the salt (given it is a 4byte one) $salt = substr(b64_dec, -4)
// the sha1 part $sha = substr($b64_dec, 20)
// now compare $sha == base64_encode( sha1($challengepw . $salt) . $salt )
openldap-technical@openldap.org
-
Daniel T. Bender -
Jack van Rock