Welcome to the Second Life Forums Archive

These forums are CLOSED. Please visit the new forums HERE

MD5 hashing LSL vs PHP5

Lafiel Takaaki
Registered User
Join date: 2 Oct 2007
Posts: 29
11-28-2007 21:10
For some reason, i fail to verify a transmission with help of MD5 hash. I'm not really sure, if its an issue with PHP5s MD5 function, or something else wrong...

Code in SL looks like
CODE


integer MD5_NONCE = 1234567890;

string DataString = "var1=data1&var2=data2";
http_id = llHTTPRequest(SERVER_URL+"/index.php?hash="+llMD5String(DataString, MD5_NONCE),
[HTTP_METHOD, "POST",HTTP_MIMETYPE, "application/x-www-form-urlencoded"],
dataString);
llOwnerSay("Datastring: "+clickStats_DataString);


and on PHP side (using PHP 5.2.5):

CODE

define("MD5_NONCE",1234567890);

function verifyIncomingData($dataArray, $hash) {
$datastring = "";

$i = 0;
foreach($dataArray as $key => $value) {
if($i>0)
$datastring .= "&";

$datastring .= "{$key}={$value}";
$i++;
}

$myhash = md5($datastring.":".MD5_NONCE);
Echo "Debug: Calculated MD5 = {$myhash}; Orginal hash: {$hash}\n";
Echo "Debug: String: {$datastring} | Nonce: ".MD5_NONCE."\n";

if($myhash==$hash) {
return true;
} else {
return false;
}
}

if(verifyIncomingData($_POST, $_GET["hash"])) {
Echo "Successful.";
}


From what the debut output, both strings looks exactly same and both using same nonce value. Also the order is same and i can't see any spaces or anything else after the strings.

I have a guess, but i'm not sure if that can be the cause. As we know, LSL uses UTF-8. Could this be a problem?

Any clues?

P.S. I remember that there was a similar thread, with an example how to encode it, but after 2 hours of searching i couldn't find it. But i'm pretty sure, i implemented it, pretty much like that one example. Just dont get two equal hashes.
Osgeld Barmy
Registered User
Join date: 22 Mar 2005
Posts: 3,336
11-28-2007 21:58
im no php expert, but ive always had to trim strings coming out SL, i know you said it looks like theres no trailing stuff but it never looked that way to me either
Emma Nowhere
Registered User
Join date: 15 Aug 2006
Posts: 29
11-29-2007 05:04
Never had a problem with this as long as i remember the nonce suffix. Try comparing string length and seeing if that's an issue. The utf-8 should not be the source of the problem. I'd have thought your nonce value might be too large but you said the two hashs appear identical.
Day Oh
Registered User
Join date: 3 Feb 2007
Posts: 1,257
11-29-2007 05:09
The problem :( is llMD5String("mystring", 2) gives you an MD5 hash for "mystring:2"

But Strife Onizuka, in his or her awesome magnificence, has recently written an epic MD5 function!

http://wiki.secondlife.com/wiki/MD5
Lafiel Takaaki
Registered User
Join date: 2 Oct 2007
Posts: 29
11-29-2007 12:00
From: Day Oh
The problem :( is llMD5String("mystring", 2) gives you an MD5 hash for "mystring:2"

well, that's what the PHP5 Script does too with

$myhash = md5($datastring.":".MD5_NONCE);
Tyken Hightower
Automagical
Join date: 15 Feb 2006
Posts: 472
11-29-2007 12:16
From: Day Oh
The problem :( is llMD5String("mystring", 2) gives you an MD5 hash for "mystring:2"

But Strife Onizuka, in his or her awesome magnificence, has recently written an epic MD5 function!

http://wiki.secondlife.com/wiki/MD5

The LL function will always be faster. If you don't like the way it salts your input, then salt it yourself. Combine in an integer or a secret key by using string functions to insert it in whatever way you like.
_____________________
Day Oh
Registered User
Join date: 3 Feb 2007
Posts: 1,257
11-29-2007 12:16
Oh... :| Sorry about that, I didn't even look

(tests)

llOwnerSay(llMD5String("var1=data1&var2=data2", 1234567890));
llOwnerSay(UTF8_MD5("var1=data1&var2=data2:1234567890";));

<?php print(md5("var1=data1&var2=data2:1234567890";)); ?>

all give me
418140897151118e5fa8901a44d536f8
Strife Onizuka
Moonchild
Join date: 3 Mar 2004
Posts: 5,887
11-29-2007 22:46
And guess what? It even runs properly in LSLEditor (it only required getting a few bugs fixed in LSLEditor).

I will work on optimizing it more but no promises.

I will not be porting MD4 or MD5 collision attacks. Be weary how you use MD5.
http://hashkiller.com/crack/

Hashing functions I have written implementations for:
http://wiki.secondlife.com/wiki/MD4
http://wiki.secondlife.com/wiki/MD5
http://wiki.secondlife.com/wiki/SHA1
http://wiki.secondlife.com/wiki/SHA2 - 224 & 256
_____________________
Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river.
- Cyril Connolly

Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence.
- James Nachtwey
Day Oh
Registered User
Join date: 3 Feb 2007
Posts: 1,257
12-01-2007 21:23
Any luck? If not, can we see the debug output? I'm not quite learned, but it seems strange that you're referencing both $_POST and $_GET, and I thought they were both arrays