Search code examples
base64railorc4-ciphercfml

Different output from toBase64() in CFML on 2 different machines

FINAL EDIT: SOLVED, upgrading local dev to railo 3.3.4.003 resolved the issue.

I have to RC4 encrypt some strings and have them base64 encoded and I'm running into a situation where the same input will generate different outputs on 2 different dev setups.

For instance, if I have a string [email protected]
On one machine (DEV-1) I'll get: DunU+ucIPz/Z7Ar+HTw=
and on the other (DEV-2) it'll be: DunU+ucIlZfZ7Ar+HTw=

First, I'm rc4 encrypting it through a function found here. Next I'm feeding it to: toBase64( my_rc4_encrypted_data, "iso-8859-1")

As far as I can tell the rc4 encryption output is the same on both (or I'm missing something). Below are SERVER variables from both machines as well as the encryption function.

Is this something we'll simply have to live with or is there something I can do to 'handle it properly' (for a lack of a better word). I'm concerned that in the future this will bite me and wonder it it can be averted.

edit 1: Output from my_rc4_encrypted_data.getBytes() returns: dev-1:

Native Array (byte[])
14--23--44--6--25-8-63-63--39--20-10--2-29-60

dev-2:

Native Array (byte[])
14--23--44--6--25-8-63-63--39--20-10--2-29-60

(no encoding passed to getBytes() )

DEV-1 (remote)

server.coldfusion
productname Railo
productversion  9,0,0,1

server.java
archModel   64
vendor  Sun Microsystems Inc.
version 1.6.0_26

server.os
arch    amd64
archModel   64
name    Windows Server 2008 R2
version 6.1

server.railo
version 3.3.2.002

server.servlet
name    Resin/4.0.18

DEV-2 (local)

server.coldfusion
productname     Railo
productversion  9,0,0,1

server.java
vendor  Oracle Corporation
version 1.7.0_01

server.os
arch    x86 
name    Windows 7
version 6.1

server.railo
version 3.2.2.000

server.servlet
name    Resin/4.0.18

RC4 function:

function RC4(strPwd,plaintxt) {
  var sbox = ArrayNew(1);
  var key = ArrayNew(1);
  var tempSwap = 0;
  var a = 0;
  var b = 0;
  var intLength = len(strPwd);
  var temp = 0;
  var i = 0;
  var j = 0;
  var k = 0;
  var cipherby = 0;
  var cipher = "";

  for(a=0; a lte 255; a=a+1) {  
    key[a + 1] = asc(mid(strPwd,(a MOD intLength)+1,1));
    sbox[a + 1] = a;
  }

  for(a=0; a lte 255; a=a+1) {  
    b = (b + sbox[a + 1] + key[a + 1]) Mod 256;   
    tempSwap = sbox[a + 1];
    sbox[a + 1] = sbox[b + 1];
    sbox[b + 1] = tempSwap;    
  }

  for(a=1; a lte len(plaintxt); a=a+1) {  
    i = (i + 1) mod 256;
    j = (j + sbox[i + 1]) Mod 256;    
    temp = sbox[i + 1];
    sbox[i + 1] = sbox[j + 1];
    sbox[j + 1] = temp;
    k = sbox[((sbox[i + 1] + sbox[j + 1]) mod 256) + 1];    
    cipherby = BitXor(asc(mid(plaintxt, a, 1)), k);
    cipher = cipher & chr(cipherby);      
  }
  return cipher;
}
Solution

  • Leigh wrote:

    But be sure to use the same encoding in your test ie String.getBytes(encoding) (Edit) If you omit it, the jvm default is used.

    Leigh is right - RAILO-1393 resulted in a change to toBase64 related to charset encodings in 3.3.0.017, which is between the 3.3.2.002 and 3.2.2.000 versions you are using.