I'm trying to compare the hash of a password, but when I compare it I get hieroglyphs and can't match whether it's true or false.
analog php function:
/*
* Split hash into pieces
* ([0] = ??, [1] = master key, [2] = salt len, [3] = salt, [4] = iteration count, [5] = salt position, [6] = ??, [7] == ??, [8] == ??)
*/
$passHashArray = explode('$', $passHash);
/*
* Combine passphrase and salt
*/
$passToHash = $testPassphrase.hex2bin($passHashArray[3]);
/*
* Hash $passToHash $passHasArray[4] times with SHA512
*/
for($i = 0; $i < $passHashArray[4]; $i++){
$passToHash = hash('SHA512', $passToHash, true);
}
/*
* Get Key and Iv from $passToHash for final encryption
*/
$key = substr($passToHash, 0, 32);
$iv = substr($passToHash, 32, 16);
/*
* final passphrase encryption
*/
if(in_array('aes-256-cbc', openssl_get_cipher_methods())){
if(openssl_decrypt(hex2bin($passHashArray[1]), 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv)){
echo 'password correct';
}else{
echo 'decrypt failed';
}
}
go function:
var passwordHash = "64$718eadbd49dbee69e2b3e5f9659c361129cc07199d421d01892694477331ad8a$16$dce01545e0c918e7$76012$2$00$2$00"
var password = "12345678910"
func main() {
var passwordHashArray = strings.Split(passwordHash, "$")
/*
* Convert to hex to bin passphrase and salt
*/
hex2Bin, err := hex.DecodeString(passwordHashArray[3])
if err != nil {
log.Printf("error hex decode string password hash array: %s", err)
}
/*
* Combine passphrase and salt
*/
passwordToHash := strings.Join([]string{ password, string(hex2Bin)}, "")
/*
* Hash $passToHash $passHasArray[4] times with SHA512
*/
intVar, err := strconv.Atoi(passwordHashArray[4])
if err != nil {
log.Printf("error password hash array string to int: %s", err)
}
passwordToHashBinary := make([]byte, 32)
passwordToHashBinary = hashSHA512([]byte(passwordToHash))
for i := 1; i < intVar; i++ {
passwordToHashBinary = hashSHA512(passwordToHashBinary)
}
/*
* Get Key and Iv from $passToHash for final encryption
*/
var encKeyDecoded = make([]byte, 32)
copy(encKeyDecoded, passwordToHashBinary[:32])
var ivDecoded = make([]byte, 16)
copy(ivDecoded, passwordToHashBinary[32:48])
cipherTextDecoded, err := hex.DecodeString(passwordHashArray[1])
if err != nil {
log.Printf("error hex decode string password hash array: %s", err)
}
results, err := decrypt(cipherTextDecoded, encKeyDecoded, ivDecoded)
if err != nil {
log.Printf("error result decode password: %s", err)
}
log.Printf("%s", string(results))
log.Printf("%x", string(results))
}
func decrypt(cipherTextDecoded []byte, encKeyDecoded []byte, ivDecoded []byte) ([]byte, error) {
block, err := aes.NewCipher(encKeyDecoded)
if err != nil {
return nil, err
}
if len(cipherTextDecoded) < aes.BlockSize {
return nil, fmt.Errorf("ciphertext too short")
}
if len(cipherTextDecoded)%aes.BlockSize != 0 {
return nil, fmt.Errorf("ciphertext is not a multiple of the block size")
}
mode := cipher.NewCBCDecrypter(block, ivDecoded)
mode.CryptBlocks(cipherTextDecoded, cipherTextDecoded)
return cipherTextDecoded, nil
}
func hashSHA512(crypto []byte) []byte {
hash := sha512.New()
hash.Write(crypto)
sha := hash.Sum(nil)
return sha
}
hash:
64$718eadbd49dbee69e2b3e5f9659c361129cc07199d421d01892694477331ad8a$16$dce01545e0c918e7$76012$2$00$2$00
original password:
12345678910
it is worth noting that in php the password is displayed correctly, but on the go I get a line like:
���Pʎ&L�t→]��f�►►►►►►►►►►►►►►►►
First of all, I don't understand where it comes from:
►►►►►►►►►►►►►►►►
How can I check if a password is valid in golang?
if () {good} else {bad}
answer php: https://onecompiler.com/php/3xqvgkhbr
answer go:
i never tried using AES on my site to store password but here's how i do it i'm using PDO prepared statement and bcrypt
$read_username = $pdo->prepare("SELECT * FROM users WHERE username = :username LIMIT 1");
$read_username->execute([':username' => $username]);
if ($read_username->rowCount() > === 1) {
$row = $write_account->fetch(PDO::FETCH_ASSOC);
$read_username = null; // close connection we already got what we need
$pdo = null; // close connection we already got what we need
$stored_hash = $row['password']; // bind the hash stored on db as $stored_hash
if (password_verify($password, $stored_hash)) { // compare user input to $stored_hash
$_SESSION['username'] = $username . bin2hex(random_bytes(12));
header('location: index.php');
die("ACCESS GRANTED!");
} else {
array_push($errors, "Incorrect password!");
}
} else {
array_push($errors, "Account does not exist!");
}
also your if else concern is easy it goes like this
$hotdog = 123;
if ($hotdog == 123) {
echo "hotdog";
} else {
echo "not hotdog";
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.