如何使用PHP为Dovecot生成salted SHA

如何使用PHP为Dovecot生成salted SHA-512密码哈希(How to generate a salted SHA-512 password hash for Dovecot with PHP)

我正在使用PHP为Dovecot创建一个工作盐渍SHA-512哈希卡住了。 当创建一个非盐渍十六进制格式哈希everthing工作正常。 在hash中添加一个salt，我无法用“doveadm pw”验证哈希值。

这是我的代码：

$password = 'test'; $salt = '2fec1ee0940e7c436ef2037e89e4c06ca20b281a90dbb2d6cbd3534aa4ce7e19'; // Create non-salted hashes $hash_hex = "{SHA512.hex}" . hash('sha512', $password); $hash_b64 = "{SHA512.b64}" . base64_encode(hash('sha512', $password)); // Create salted hashes $salted_hash_hex= "{SSHA512.hex}" . hash('sha512', $password . $salt) . $salt; $salted_hash_b64= "{SSHA512.b64}" . base64_encode(hash('sha512', $password . $salt) . $salt); // Output var_dump($hash_hex); var_dump($hash_b64); var_dump($salted_hash_hex); var_dump($salted_hash_b64);

var_dumps（）的输出如下：

string '{SHA512.hex}ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff' (length=140) string '{SHA512.b64}ZWUyNmIwZGQ0YWY3ZTc0OWFhMWE4ZWUzYzEwYWU5OTIzZjYxODk4MDc3MmU0NzNmODgxOWE1ZDQ5NDBlMGRiMjdhYzE4NWY4YTBlMWQ1Zjg0Zjg4YmM4ODdmZDY3YjE0MzczMmMzMDRjYzVmYTlhZDhlNmY1N2Y1MDAyOGE4ZmY=' (length=184) string '{SSHA512.hex}4a1e8a61780f449ef6cbc883b5cf57279d32fd004cb7298ddb6f8c46bf246187c03f1bf9447044708767a826e65f977e5c95a490abf8f2c3ca90c7a0ea2b89e82fec1ee0940e7c436ef2037e89e4c06ca20b281a90dbb2d6cbd3534aa4ce7e19' (length=205) string '{SSHA512.b64}NGExZThhNjE3ODBmNDQ5ZWY2Y2JjODgzYjVjZjU3Mjc5ZDMyZmQwMDRjYjcyOThkZGI2ZjhjNDZiZjI0NjE4N2MwM2YxYmY5NDQ3MDQ0NzA4NzY3YTgyNmU2NWY5NzdlNWM5NWE0OTBhYmY4ZjJjM2NhOTBjN2EwZWEyYjg5ZTgyZmVjMWVlMDk0MGU3YzQzNmVmMjAzN2U4OWU0YzA2Y2EyMGIyODFhOTBkYmIyZDZjYmQzNTM0YWE0Y2U3ZTE5' (length=269)

现在，当我尝试验证针对doveadm的哈希值时，只有第一个哈希值（以十六进制格式表示的非salted）工作。 第二个给出了关于字符串长度的错误（输入长度​​无效（128而不是64））。 第三个和第四个告诉密码不匹配：

root@jupiter[0][75]:/etc/dovecot# dovecot pw -t {SHA512.hex}ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff -p test {SHA512.hex}ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff (verified) root@jupiter[0][0]:/etc/dovecot# dovecot pw -t {SHA512.b64}ZWUyNmIwZGQ0YWY3ZTc0OWFhMWE4ZWUzYzEwYWU5OTIzZjYxODk4MDc3MmU0NzNmODgxOWE1ZDQ5NDBlMGRiMjdhYzE4NWY4YTBlMWQ1Zjg0Zjg4YmM4ODdmZDY3YjE0MzczMmMzMDRjYzVmYTlhZDhlNmY1N2Y1MDAyOGE4ZmY= -p test doveadm(root): Fatal: reverse decode check failed: Input length isn't valid (128 instead of 64) root@jupiter[0][75]:/etc/dovecot# dovecot pw -t {SSHA512.hex}4a1e8a61780f449ef6cbc883b5cf57279d32fd004cb7298ddb6f8c46bf246187c03f1bf9447044708767a826e65f977e5c95a490abf8f2c3ca90c7a0ea2b89e82fec1ee0940e7c436ef2037e89e4c06ca20b281a90dbb2d6cbd3534aa4ce7e19 -p test doveadm(root): Fatal: reverse password verification check failed: Password mismatch root@jupiter[0][75]:/etc/dovecot# dovecot pw -t {SSHA512.b64}NGExZThhNjE3ODBmNDQ5ZWY2Y2JjODgzYjVjZjU3Mjc5ZDMyZmQwMDRjYjcyOThkZGI2ZjhjNDZiZjI0NjE4N2MwM2YxYmY5NDQ3MDQ0NzA4NzY3YTgyNmU2NWY5NzdlNWM5NWE0OTBhYmY4ZjJjM2NhOTBjN2EwZWEyYjg5ZTgyZmVjMWVlMDk0MGU3YzQzNmVmMjAzN2U4OWU0YzA2Y2EyMGIyODFhOTBkYmIyZDZjYmQzNTM0YWE0Y2U3ZTE5 -p test doveadm(root): Fatal: reverse password verification check failed: Password mismatch

我试着通过阅读几个页面来了解它是如何工作的

http://wiki2.dovecot.org/Authentication/PasswordSchemes http://www.tunnelsup.com/using-salted-sha-hashes-with-dovecot-authentication 如何在PHP中安全地生成SSHA256或SSHA512哈希？

并认为我做得对。 但是：不，不;-)

请问有人能指出我的错误吗？

非常感谢你！

I am getting stuck by creating a working salted SHA-512 hash for Dovecot using PHP. When create a non-salted hex-formated hash everthing works fine. add a salt to the hash, I am not able to verify the hash with "doveadm pw" anymore.

Here's my code:

$password = 'test'; $salt = '2fec1ee0940e7c436ef2037e89e4c06ca20b281a90dbb2d6cbd3534aa4ce7e19'; // Create non-salted hashes $hash_hex = "{SHA512.hex}" . hash('sha512', $password); $hash_b64 = "{SHA512.b64}" . base64_encode(hash('sha512', $password)); // Create salted hashes $salted_hash_hex= "{SSHA512.hex}" . hash('sha512', $password . $salt) . $salt; $salted_hash_b64= "{SSHA512.b64}" . base64_encode(hash('sha512', $password . $salt) . $salt); // Output var_dump($hash_hex); var_dump($hash_b64); var_dump($salted_hash_hex); var_dump($salted_hash_b64);

The output of the var_dumps() are as follows:

string '{SHA512.hex}ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff' (length=140) string '{SHA512.b64}ZWUyNmIwZGQ0YWY3ZTc0OWFhMWE4ZWUzYzEwYWU5OTIzZjYxODk4MDc3MmU0NzNmODgxOWE1ZDQ5NDBlMGRiMjdhYzE4NWY4YTBlMWQ1Zjg0Zjg4YmM4ODdmZDY3YjE0MzczMmMzMDRjYzVmYTlhZDhlNmY1N2Y1MDAyOGE4ZmY=' (length=184) string '{SSHA512.hex}4a1e8a61780f449ef6cbc883b5cf57279d32fd004cb7298ddb6f8c46bf246187c03f1bf9447044708767a826e65f977e5c95a490abf8f2c3ca90c7a0ea2b89e82fec1ee0940e7c436ef2037e89e4c06ca20b281a90dbb2d6cbd3534aa4ce7e19' (length=205) string '{SSHA512.b64}NGExZThhNjE3ODBmNDQ5ZWY2Y2JjODgzYjVjZjU3Mjc5ZDMyZmQwMDRjYjcyOThkZGI2ZjhjNDZiZjI0NjE4N2MwM2YxYmY5NDQ3MDQ0NzA4NzY3YTgyNmU2NWY5NzdlNWM5NWE0OTBhYmY4ZjJjM2NhOTBjN2EwZWEyYjg5ZTgyZmVjMWVlMDk0MGU3YzQzNmVmMjAzN2U4OWU0YzA2Y2EyMGIyODFhOTBkYmIyZDZjYmQzNTM0YWE0Y2U3ZTE5' (length=269)

Now when I try to verify the hashes against doveadm, only the first hash (non-salted in hex-format) works. The second one gives me an error regarding the length of the string (Input length isn't valid (128 instead of 64)). The third and fourth tells that the password isn't matching:

root@jupiter[0][75]:/etc/dovecot# dovecot pw -t {SHA512.hex}ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff -p test {SHA512.hex}ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff (verified) root@jupiter[0][0]:/etc/dovecot# dovecot pw -t {SHA512.b64}ZWUyNmIwZGQ0YWY3ZTc0OWFhMWE4ZWUzYzEwYWU5OTIzZjYxODk4MDc3MmU0NzNmODgxOWE1ZDQ5NDBlMGRiMjdhYzE4NWY4YTBlMWQ1Zjg0Zjg4YmM4ODdmZDY3YjE0MzczMmMzMDRjYzVmYTlhZDhlNmY1N2Y1MDAyOGE4ZmY= -p test doveadm(root): Fatal: reverse decode check failed: Input length isn't valid (128 instead of 64) root@jupiter[0][75]:/etc/dovecot# dovecot pw -t {SSHA512.hex}4a1e8a61780f449ef6cbc883b5cf57279d32fd004cb7298ddb6f8c46bf246187c03f1bf9447044708767a826e65f977e5c95a490abf8f2c3ca90c7a0ea2b89e82fec1ee0940e7c436ef2037e89e4c06ca20b281a90dbb2d6cbd3534aa4ce7e19 -p test doveadm(root): Fatal: reverse password verification check failed: Password mismatch root@jupiter[0][75]:/etc/dovecot# dovecot pw -t {SSHA512.b64}NGExZThhNjE3ODBmNDQ5ZWY2Y2JjODgzYjVjZjU3Mjc5ZDMyZmQwMDRjYjcyOThkZGI2ZjhjNDZiZjI0NjE4N2MwM2YxYmY5NDQ3MDQ0NzA4NzY3YTgyNmU2NWY5NzdlNWM5NWE0OTBhYmY4ZjJjM2NhOTBjN2EwZWEyYjg5ZTgyZmVjMWVlMDk0MGU3YzQzNmVmMjAzN2U4OWU0YzA2Y2EyMGIyODFhOTBkYmIyZDZjYmQzNTM0YWE0Y2U3ZTE5 -p test doveadm(root): Fatal: reverse password verification check failed: Password mismatch

I tried to find out how that works by reading several pages like

http://wiki2.dovecot.org/Authentication/PasswordSchemes http://www.tunnelsup.com/using-salted-sha-hashes-with-dovecot-authentication How to securely generate SSHA256 or SSHA512 hashes in PHP?

and thought that I am doing it right. But: No no ;-)

Can anyone pinpoint me to my mistake, please?

Thank you very much!

最满意答案

hash('sha512', $password, true)

因为你是base64编码

hash('sha512', $password, true)

Since you are base64 encoding