Mismatch between ironclad and couch pbkdf2 hashing

Question

My problem context: Fedora 22 64bit on Linode KVM instance, CouchDB v.1.6.1, SBCL 1.2.16

CouchDB: I create a user with password "testpass". The corresponding created document in _users database contains (among other stuff):

{ ...
  "password_scheme": "pbkdf2",
   "iterations": 10,
   "name": "test",
   "roles": ["reader"],
   "type": "user",
   "derived_key": "7b0cad0d2762b448b88684332e68988e801195ad",
   "salt": "2e4bcf85f39279ab9d1e1336a00dce0e"
...}

So in my lisp repl on the same machine I do:

REPL>(in-package :ironclad)
REPL>(byte-array-to-hex-string 
         (pbkdf2-hash-password 
             (ascii-string-to-byte-array "testpass") 
             :salt (hex-string-to-byte-array "2e4bcf85f39279ab9d1e1336a00dce0e")
             :digest 'sha1 
             :iterations 10))

"ce55610fe10bc49703f0df95adb6c9c9c71e3f8e"
REPL>

So the output "ce55610fe10bc49703f0df95adb6c9c9c71e3f8e" from ironclad doesn't match "7b0cad0d2762b448b88684332e68988e801195ad" from couch.

I 've tried all the supported digests in ironclad but with no luck. Does anyone have any ideas about what could be wrong?

Answer 1

It's simple: CouchDB uses "2e4bcf85f39279ab9d1e1336a00dce0e" salt as a binary string, while you turn it into an array of bytes with hex-string-to-byte-array. Unhexing it gives you different salt. It's easy to check:

(node1@127.0.0.1)1> couch_passwords:pbkdf2(<<"testpass">>, <<"2e4bcf85f39279ab9d1e1336a00dce0e">>, 10).
<<"7b0cad0d2762b448b88684332e68988e801195ad">>
(node1@127.0.0.1)2> couch_passwords:pbkdf2(<<"testpass">>, <<50,101,52,98,99,102,56,53,102,51,57,50,55,57,97,98,57,100,49,101,49,51,51,54,97,48,48,100,99,101,48,101>>, 10).
<<"7b0cad0d2762b448b88684332e68988e801195ad">>
(node1@127.0.0.1)3> couch_passwords:pbkdf2(<<"testpass">>, <<46,75,207,133,243,146,121,171,157,30,19,54,160,13,206,14>>, 10).
<<"ce55610fe10bc49703f0df95adb6c9c9c71e3f8e">>