Hello there,
I've another question to the crypted passwords at the DB. I'm trying to let a Java browsergame use the forumDB. This works fine as long the user has no special signs like " !|" at his username or pw. The SHA-1 hash generated by smf getting completly different to than crypted by Java or manual insert with phpmyadmin at the DB. What's smf doing with special signs if a hash getting generated? Is there any way to fix it at Java?
Moving this to a more appropriate section.
-[n3rve]
thx alot
Have you looked at the php code SMF uses for the password?
sha1(strtolower($username) . $password)
As you can see, I don't think anything special is done there unless the core php functions themselves are doing something. People have asked about java here before, so a search may bring up a working java 'hash checker'
Yep. I made strtolower id+password. Users who has no numbers or special signs can log in. Users with special signs can't log in.
Did you have a look at just generating hashes in php (without SMF) and the function above? That should show you if it is something php is doing or if SMF is doing something with the password somewhere
yep. Did it. Its the same hash. Finaly i found where smf is checking for the password and i didn't know its checking on this much ways. smf isn't only checking for pure sha-1 or salted sha-1. It's also checking for md5, cryt function, md5(md5) aso aso aso. This can getting be interesting to integrate this to java.
SMF doesn't use md5/md5 salt/pure sha1/crypt. These are just intended to support people who have converted to SMF from another forum software. Anyone using these old hash methods will be prompted to update their password after they login for the first time
This is kinda strange then.
So if the sha1 hash with username & password in 'pure php' is generating the same hash as SMF that must mean something is different in java. I did a search for sha1 php java and some topics did appear on differences between the two
eh my bad. sah-1 at java, pure php(without smf) and coded by sql database is the same. Only the hash of smf is different.
Are you definitely putting the username into lowercase in the same way as SMF?
Have you checked the values of username and password that SMF has before hashing them? Perhaps something in the password is being escaped resulting in a different hash
Is this a 64-bit environment?
It might be little old post, but I have same problems with hash difference in java and php before some time .. here is the solution and explanation.
The thing is for example to use the same algorithm:
@PHP
hash_hmac('sha256', utf8_encode("somesecret"), utf8_encode( trim($another)),false);
... not so important but get you a point to >>> hmac and sha256
And than in java note:
Mac mac = Mac.getInstance("HmacSha256");
String key = "someKeyToEncode";
String phrase = "secretPhraseSalt";
SecretKeySpec secret = new SecretKeySpec(key.getBytes(),
"HmacSha256");
mac.init(secret);
byte[] shaDigest = mac.doFinal(phrase.getBytes());
String hash = "";
for (byte b : shaDigest) {
hash += String.format("%02x", b);
}
//you can compare that now.. as something like...
if(hash.equalsIgnoreCase(confirmationKeyFromPHP)){return true;}
And here is your hash ready for compare. Logic is from some my auth check, since I communicate some approval by sending hashes from PHP to Java, and back. But to be able to compare these hashes generated on java or Php they must use the same SHA alg. HMACSHA_xxx
I do not know to much of php, but I researched difference in default sha alg. used. ;)
By the way: this verification thing is annoying. I allready loged in.. Should I proove that I am an human on every post change??? Sorry but this is not good UE.
Marking this topic solved, as it is years old and the original discussion has died.