Batch creating seafile users (cloudstorage) with php: Password hash doesn't match

StackOverflow https://stackoverflow.com/questions/23376826

Question

I am trying to create seafile users with php. http://www.seafile.com

The hash of a user who is already existing looks like:

PBKDF2SHA256$10000$9ee87caa42ed5b5fd3f62781d8df82af5e2d9e5e5250d22bf70336cc5e2fb060$478602208097c48b47042e25d026fec1b0363551a4f52aa2e2674f3093010215

So I assume the hashing algo is sha256 using the pbkdf2 key derivation function with 10k rounds. The first part after that should be the salt seperated by an $, then there is supposed to be the pwd hash.

Seafile is open-sourced so I tried to find the code for generating this hash and found this one:

There is a function called hash_password_pbkdf2_sha256() which should do this job.

When I'm trying to create the same hash like above with php (Password is "12345678")

hash_pbkdf2('sha256', '12345678','9ee87caa42ed5b5fd3f62781d8df82af5e2d9e5e5250d22bf70336cc5e2fb060', 10000, 64)

I get 148f4d331b647bafa2b15d145814d56fbe40e13221aff6e53329680b4cadbc84 which is not equal to above 478602208097c48b47042e25d026fec1b0363551a4f52aa2e2674f3093010215

Any ideas how to fix this?

Was it helpful?

Solution

The C function validate_passwd_pbkdf2_sha256 in the file you pointed calls hex_to_rawdata (salt_str, salt, SHA256_DIGEST_LENGTH) before it hashes the password. PHP equivalent would be hex2bin.

hash_pbkdf2(
  'sha256',
  '12345678',
  hex2bin('9ee87caa42ed5b5fd3f62781d8df82af5e2d9e5e5250d22bf70336cc5e2fb060'),
  10000,
  64
);

produces the expected 478602208097c48b47042e25d026fec1b0363551a4f52aa2e2674f3093010215

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top