I am trying to create seafile users with php. http://www.seafile.com
The hash of a user who is already existing looks like:
PBKDF2SHA256$10000$9ee87caa42ed5b5fd3f62781d8df82af5e2d9e5e5250d22bf70336cc5e2fb060$478602208097c48b47042e25d026fec1b0363551a4f52aa2e2674f3093010215
So I assume the hashing algo is sha256 using the pbkdf2 key derivation function with 10k rounds. The first part after that should be the salt seperated by an $, then there is supposed to be the pwd hash.
Seafile is open-sourced so I tried to find the code for generating this hash and found this one:
There is a function called hash_password_pbkdf2_sha256() which should do this job.
When I'm trying to create the same hash like above with php (Password is "12345678")
hash_pbkdf2('sha256', '12345678','9ee87caa42ed5b5fd3f62781d8df82af5e2d9e5e5250d22bf70336cc5e2fb060', 10000, 64)
I get 148f4d331b647bafa2b15d145814d56fbe40e13221aff6e53329680b4cadbc84 which is not equal to above 478602208097c48b47042e25d026fec1b0363551a4f52aa2e2674f3093010215
Any ideas how to fix this?
The C function validate_passwd_pbkdf2_sha256 in the file you pointed calls hex_to_rawdata (salt_str, salt, SHA256_DIGEST_LENGTH) before it hashes the password. PHP equivalent would be hex2bin.
hash_pbkdf2(
'sha256',
'12345678',
hex2bin('9ee87caa42ed5b5fd3f62781d8df82af5e2d9e5e5250d22bf70336cc5e2fb060'),
10000,
64
);
produces the expected 478602208097c48b47042e25d026fec1b0363551a4f52aa2e2674f3093010215