Openfire stores encrypted passwords in a database using blowfish encryption.

http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/Blowfish.java is the java implementation for how encrypt / decrypt functions work in openfire.


My goal is to create new user entries in the database via PHP and MySQLI. All of the variations I've tried have yielded results that don't match what already exists in the database. For example:


d3f499857b40ac45c41828ccaa5ee1f90b19ca4e0560d1e2dcf4a305f219a4a2342aa7364e9950db is one of the encrypted passwords. clear text, this is stackoverflow


echo mcrypt_cbc(MCRYPT_BLOWFISH, '1uY40SR771HkdDG', 'stackoverflow', MCRYPT_ENCRYPT, '12345678');
// result:  áë*sY¶nŸÉX_33ô

 $key = '1uY40SR771HkdDG';
 $pass = 'stackoverflow';
 $blocksize = mcrypt_get_block_size('blowfish', 'cbc'); // get block size
 $pkcs = $blocksize - (strlen($data) % $blocksize); // get pkcs5 pad length
 $data.= str_repeat(chr($pkcs), $pkcs); // append pkcs5 padding to the data

 // encrypt and encode
 $res = base64_encode(mcrypt_cbc(MCRYPT_BLOWFISH,$key, $pass, MCRYPT_ENCRYPT));
 echo $res;
 // result:  3WXKASjk35sI1+XJ7htOGw==


Any clever ideas, or any glaring problems? I simply want to implement Blowfish.encryptString() as referenced in the first link in this question.



Here's a class I made, it encrypts and decrypts properly.


Note, you need to save / [pre/app]end the IV in order to reproduce results.


Some test vectors for the java code would be nice.


 * Emulate OpenFire Blowfish Class
class OpenFireBlowfish
    private $key;
    private $cipher;

    function __construct($pass)
        $this->cipher = mcrypt_module_open('blowfish','','cbc','');
        $this->key = pack('H*',sha1($pass));

    function encryptString($plaintext, $iv = '')
        if ($iv == '') {
            $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($this->cipher));
        else {
            $iv = pack("H*", $iv);
        mcrypt_generic_init($this->cipher, $this->key, $iv);
        $bs = mcrypt_enc_get_block_size($this->cipher); // get block size
        $plaintext = mb_convert_encoding($plaintext,'UTF-16BE'); // set to 2 byte, network order
        $pkcs = $bs - (strlen($plaintext) % $bs); // get pkcs5 pad length
        $pkcs = str_repeat(chr($pkcs), $pkcs); // create padding string
        $plaintext = $plaintext.$pkcs; // append pkcs5 padding to the data
        $result = mcrypt_generic($this->cipher, $plaintext);
        return $iv.$result;

    function decryptString($ciphertext)
        $bs = mcrypt_enc_get_block_size($this->cipher); // get block size
        $iv_size = mcrypt_enc_get_iv_size($this->cipher);
        if ((strlen($ciphertext) % $bs) != 0) { // check string is proper size
            return false;
        $iv = substr($ciphertext, 0, $iv_size); // retrieve IV
        $ciphertext = substr($ciphertext, $iv_size);
        mcrypt_generic_init($this->cipher, $this->key, $iv);
        $result = mdecrypt_generic($this->cipher, $ciphertext); // decrypt
        $padding = ord(substr($result,-1)); // retrieve padding
        $result = substr($result,0,$padding * -1); // and remove it
        return $result;

    function __destruct()

$enckey = "1uY40SR771HkdDG";
$enciv = 'd3f499857b40ac45';
$javastring = 'd3f499857b40ac45c41828ccaa5ee1f90b19ca4e0560d1e2dcf4a305f219a4a2342aa7364e9950db';

$a = new OpenFireBlowfish($enckey);
$encstring = bin2hex($a->encryptString('stackoverflow',$enciv));
echo $encstring . "\n";
echo $a->decryptString(pack("H*", $encstring)) . "\n";

$b = new OpenFireBlowfish($enckey);
echo $b->decryptString(pack("H*", $javastring)) . "\n";

08-05 15:24