4

I must migrate my backend from php to node. We used php crypt (with default random salt) to hash the passwords. For instance, for the password 'd1692fab28b8a56527ae329b3d121c52', I have the following crypted pw in my base (depending if I used either md5 or sha512, as the $i$ specify) :

$1$7JxJYjJK$oFtCGyVvflspPtxB7YrWP.
$6$CVx6KL5l$wzk3YXlqUaz42Kb9r2lmEJhx/FBUXPRoLWN.20/XMBbgQrhp3vSHkEDF3bJEtpM3M96VZ.AMKatLGSKYZZKNH/

And in php I can verify them with crypt :

echo crypt('d1692fab28b8a56527ae329b3d121c52', '$1$7JxJYjJK$oFtCGyVvflspPtxB7YrWP.');
echo "\n";
echo crypt('d1692fab28b8a56527ae329b3d121c52', '$6$CVx6KL5l$wzk3YXlqUaz42Kb9r2lmEJhx/FBUXPRoLWN.20/XMBbgQrhp3vSHkEDF3bJEtpM3M96VZ.AMKatLGSKYZZKNH/');
echo "\n";

Which returns the correct crypted pw.

I did not manage to obtain such results with any node function. I tried stuff like :

require("crypto").createHmac("md5", "7JxJYjJK").update("d1692fab28b8a56527ae329b3d121c52").digest("base64");

And many others, but without any success. Can someone please help me to do this ? I abolutely need the MD5 version ($1$) ; the sha512 would be somewhat nice (I know it's horrifying, but it's the md5 version that was used on the prod server, and the sha512 that was used on the test server...).

Sebastien
  • 115
  • 9
  • http://stackoverflow.com/questions/13537259/verify-a-hash-generated-with-php-crypt-in-nodejs was from 10 months ago, but you could try bcrypt instead? https://npmjs.org/package/bcrypt – zamnuts Oct 16 '13 at 14:35
  • Please read the question, I already have a user base filled with php-crypted passwords on a production server, I need to be able to verify it in node. (and btw I already use bcrypt in Node for NEW clients that register ; that doesn't solve my initial problem at all though) – Sebastien Oct 17 '13 at 08:37
  • i did read the question and understand: your password is `d1692fab28b8a56527ae329b3d121c52`, the algo is `1` or `6` and the salt is `7JxJYjJK` and `CVx6KL5l` respectively. Verifying requires regenerating the hash based on the key with a specific algorithm implementation, of which the latter is not aligned with that of PHP (according to the SO post), however bcrypt is said to possibly match but I can't get gyp to build it on my win machine and couldn't test~ – zamnuts Oct 17 '13 at 09:22
  • 1
    No, bcrypt uses one specific algorithm (the $5y$ one I think). If your php happen to use this one, bcryt will indeed match. But not in any other cases. – Sebastien Oct 21 '13 at 16:21

1 Answers1

1

I just converted the original crypt_md5() (as used in PHP) to JavaScript for one of my projects. You can find it here:

https://github.com/BlaM/cryptMD5-for-javascript

(Supports only $1$, but that's at least a part of what you are looking for.)

BlaM
  • 28,465
  • 32
  • 91
  • 105