-
Notifications
You must be signed in to change notification settings - Fork 4
/
password_converter_mod.txt
128 lines (105 loc) · 4.09 KB
/
password_converter_mod.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
##
##
## Mod title: Password converter
##
## Mod version: 1.1
## Works on FluxBB: 1.4.7, 1.4.6, 1.4.5, 1.4.4, 1.4.3, 1.4.2, 1.4.1, 1.4, 1.4-rc3
## Release date: 2010-07-21
## Author: Daris (daris91+fluxbb@gmail.com)
##
## Description: Converts user password to FluxBB style on first login after database conversion.
##
## Affected files: login.php
##
## Affects DB: No
##
## DISCLAIMER: Please note that "mods" are not officially supported by
## FluxBB. Installation of this modification is done at
## your own risk. Backup your forum database and any and
## all applicable files before proceeding.
##
## Changelog: 1.1 - Added support for later SMF 2 password hashing (@olimortimer)
##
#
#-------------[ 2. OPEN ]----------------
#
login.php
#
#-------------[ 3. FIND ]----
#
if (!empty($cur_user['salt']))
{
if (sha1($cur_user['salt'].sha1($form_password)) == $cur_user['password']) // 1.3 used sha1(salt.sha1(pass))
{
$authorized = true;
$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\', salt=NULL WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
}
}
#
#-------------[ 4. REPLACE WITH ]----------------
#
if (!empty($cur_user['salt']))
{
if (md5(md5($form_password).$cur_user['salt']) == $cur_user['password'] || // vBulletin password
strlen($cur_user['salt']) == 4 && sha1(md5($cur_user['salt']).md5($form_password)) == $cur_user['password'] || // SMF 2 password
strlen($cur_user['salt']) == 4 && sha1(strtolower($form_username).$form_password) == $cur_user['password'] || // Later SMF 2 password
strlen($cur_user['salt']) == 8 && md5(md5($cur_user['salt']).md5($form_password)) == $cur_user['password'] || // MyBB password
strlen($cur_user['password']) == 32 && md5(md5($cur_user['salt']).md5($form_password)) == $cur_user['password'] || // IPB password
sha1($cur_user['salt'].sha1($form_password)) == $cur_user['password']) // 1.3 used sha1(salt.sha1(pass))
{
$authorized = true;
$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\', salt=NULL WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
}
}
elseif (!isset($cur_user['salt']) || empty($cur_user['salt']) && phpBB3_password_check($form_password, $cur_user['password']))
{
$authorized = true;
$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
}
#
#-------------[ 4. ADD AT END OF FILE ]----------------
#
// Special encryption used by phpBB3.
function phpBB3_password_check($password, $hash)
{
if (strlen($hash) != 34) return false;
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
function hash_and_encode($input, $count, &$itoa64)
{
$output = '';
$i = 0;
do {
$value = ord($input[$i++]);
$output .= $itoa64[$value & 0x3f];
if ($i < $count) $value |= ord($input[$i]) << 8;
$output .= $itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count) break;
if ($i < $count) $value |= ord($input[$i]) << 16;
$output .= $itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count) break;
$output .= $itoa64[($value >> 18) & 0x3f];
}
while ($i < $count);
return $output;
}
function hash_and_crypt($password, $setting, &$itoa64)
{
$output = '*';
// Check for correct hash
if (substr($setting, 0, 3) != '$H$') return $output;
$count_log2 = strpos($itoa64, $setting[3]);
if ($count_log2 < 7 || $count_log2 > 30) return $output;
$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);
if (strlen($salt) != 8) return $output;
$hash = pack('H*', md5($salt . $password));
do {
$hash = pack('H*', md5($hash . $password));
}
while (--$count);
$output = substr($setting, 0, 12);
$output .= hash_and_encode($hash, 16, $itoa64);
return $output;
}
return (hash_and_crypt($password, $hash, $itoa64) === $hash) ? true : false;
}