Hashing with salt in base64 return a wrong result

Godot Version

4.2.1

Question

Hello! I am trying to write client hashing for password, and I need it to return the same results as the server I am trying to connect to.

Here’s the server hashing code wrote in python:

import hashlib,codecs,hmac

password = "password"

pepper = "salt"

m = hashlib.sha256()
m.update(bytes(password,'UTF-8'))
hx = m.hexdigest()

PASS = codecs.encode(codecs.decode(hx, 'hex'), 'base64').decode()[:-1]

hx = hmac.new(bytes(pepper,'UTF-8'),msg=bytes(password,'UTF-8'), digestmod = hashlib.sha256).hexdigest()

HASH = codecs.encode(codecs.decode(hx, 'hex'), 'base64').decode()[:-1]

print("PASS:",PASS)
print("HASH:",HASH)

it returns:

PASS: XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg=
HASH: hOxEx9b8QZF5U6Ha/KPH14Vvep0DKLmRt28NNr4SJLk=

My code in gdscript:

var hashed = ("password").sha256_buffer()
	hashed = Marshalls.raw_to_base64(hashed)
	print(hashed)
	var salt = ("salt").sha256_text()
	hashed = (hashed + salt).sha256_buffer()
	print(Marshalls.raw_to_base64(hashed))

it returns:

XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg=
h1Oo4kcvU0CtEfKjB3t5rSyjW/wpCA2XkYDfFbq1uEM=

It appears I am adding salt wrong, but I have tried different ways and failed. Can someone explain what I’m doing wrong?

At a guess, the stuff you are hashing is probably different before you even start. Compare the python bytes(password, utf8) bit to the gdscript (“password”), both in bytes yo make sure they match. If they do, rinse and repeat for every step and find out where the mismatch is, then maybe we can tell you why the mismatch is happening.

I should have mentioned that the first hash (without salting) matches perfectly. The issue comes with salting it

I am not familiar with python but I believe that common practice is to add the salt to the password before and then hash both together. But here you are hashing the password then re-hashing with the salt no? Maybe try combining the password and the salt then hash?

No hmac on gdscript side

I see, here its a mere concatenation the two sha256

But still, attempting to unhash two concatenated sha256 would surely run into issues no?

Do you mean combining the strings like that?

var password = "password"
	var salt = "salt"
	var hashed = (password + salt).sha256_buffer()
	print(Marshalls.raw_to_base64(hashed))

I have tried that and that

var password = "password".sha256_text()
	var salt = "salt".sha256_text()
	var hashed = (password + salt).sha256_buffer()
	print(Marshalls.raw_to_base64(hashed))

swapped password and salt in every case as well

Also tried this

var ctx = HMACContext.new()
	
	var salt = "salt".to_utf8_buffer()
	ctx.start(HashingContext.HASH_SHA256, salt)
	var password = "password".to_utf8_buffer()
	ctx.update(password)
	
	print(Marshalls.raw_to_base64(password))

hash: cGFzc3dvcmQ=

it’s too short

I have found the solution. For people’s usage: HMAC-SHA256 in GDscript

open their file and scroll down to 2 last functions

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.