Integrate SMF in ASP .NET CMS

[Mrneo2002]

I'm trying to integrate SMF into my CMS that is based on ASP .NET. I want to be able to login on the forum on my CMS.

Does anyone know how to perform the validation on the password? I know I need a MD5-HMAC check, but I couldn't found an appropriate method to complete this check...

I've searched through the forum and found a few suggestions, but couldn't find the exact answer... any help would be appreciated!

[Tony Reid]

Its SHA not MD5 - and you should be able to use the SSI.php files.

Or alternatively this may be of interest..... http://www.simplemachines.org/community/index.php?topic=16572.msg137516

[Mrneo2002]

First, thanks for your reply. I read some topics in here and thoughed that s(salted) MD5 was used, anyways...

Maybe I don't complete understand the concept of the SSI files, but I thoughed those where ment to be used in other PHP programs. So I think it is not possible to use this file from ASP .NET. What I would like to do is generate some C# (or other ASP .NET compatible language ) code that logs a user onto the forum.

In the SSI file that functionality is available, only (I think) I cannot call these functions from ASP .NET...

[[Unknown]]

SMF 1.0 uses HMAC MD5.  SMF 1.1 uses SHA1.

Anyway, it can all be done with System.Cryptography and MySql.Data.

-[Unknown]

[Mrneo2002]

I'm currently using SMF 1, so I would need MD5.

I use .NET 1.1 and there's no System.Cryptography, there's a System.Security.Cryptography. However there's no support for MD5 ( SHA1, is supported though).

I found this site:

hxxp:www.obviex.com/samples/hash.aspx [nonactive]

and via this way it is suppose to work.

Code Select Expand

String hash = Crypto.ComputeHash( stringPass, "MD5", Encoding.Default.GetBytes( username.ToLower().ToCharArray() ) );

return Crypto.VerifyHash( pass, "MD5", hash )


However this is not working, it looks like there's a kind of MD5 salted key generated, but maybe I used a wrong method to create the salted key... Does anyone know how to create this one for C#?

BTW I used different sorts of Encoding types, to verify that the Encoding type was not the problem...

[[Unknown]]

System.Security.Cryptography.MD5
Supported in: 2.0, 1.1, 1.0

Why can't that be used?  It's a bit complicated, but...

Well, anyway, you basically want this:

Code Select Expand

private string md5_hmac(string data_str, string key_str)
{
System.Security.Cryptography.MD5 md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();

byte[] data = System.Text.Encoding.ASCII.GetBytes(data_str);
byte[] key = System.Text.Encoding.ASCII.GetBytes(key_str);

if (key.Length > 64)
key = md5.ComputeHash(key);
if (key.Length < 64)
{
byte[] temp_key = new byte[64];
key.CopyTo(temp_key, 0);
key = temp_key;
}

byte[] outer = new byte[64 + 16];
byte[] inner = new byte[64 + data.Length];

for (int i = 0; i < 64; i++)
{
outer[i] = (byte) (key[i] ^ 0x5c);
inner[i] = (byte) (key[i] ^ 0x36);
}

data.CopyTo(inner, 64);
inner = md5.ComputeHash(inner);

inner.CopyTo(outer, 64);
outer = md5.ComputeHash(outer);

StringBuilder output = new StringBuilder();
for (int i = 0; i < outer.Length; i++)
output.Append(string.Format("{0:x2}", outer[i]));
return output.ToString();
}
(boy do I hate C#'s arrays... that's 36 lines for 4, maybe 10 in PHP.)

That's a pretty simple translation of the PHP code.  You'll want to call it like SMF does:

string CorrectHash = md5_hmac(ClearTextPassword, Username.ToLower());

Or similar.  I haven't tested the above function, so you may want to test it on a hash you know should work, and report back if it doesn't work.

-[Unknown]

[Mrneo2002]

Thanks a million!!

there were only two Convert.ToByte ( )'s necessary in the for loop. But it works perfectly know!! Again many thanks, been looking for this for a while know!

[[Unknown]]

Thanks, I fixed my above code (by just adding a cast.)

-[Unknown]

[Mrneo2002]

Actually that won't do, because "Cannot implicity convert type 'int' to 'byte'" This will do though:

Code Select Expand

outer[i] = Convert.ToByte ( key[i] ^ 0x5c );
inner[i] = Convert.ToByte ( key[i] ^ 0x36 );

[[Unknown]]

Actually, it should work - see:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/csref/html/vclrfbyte_pg.asp

But, the problem was that I assumed that x ^ y could be implicitly casted to a byte if x and y were bytes (since it's just a bit mask and *CANNOT* generate anything above 255 unless x or y is above 255.)  This isn't true, however, so it has to be cast back to a byte... my mistake.

Anyway, for the difference between casts and converts, a google search found this pretty immediately:
http://www.codypowell.com/vlog/archives/000387.html

What he doesn't seem to understand is that casts can be optimized by the compiler, whereas converts are less likely to be.  In any case, casts are better if they can be used, otherwise you want a convert which is the slow but works-more-of-the-time way.

-[Unknown]

[Kris]

Any link to your .NET integrated forum?
Bridge to share?

[Mrneo2002]

It's not yet online, still beta-version....

When I have it online, I'll put up a link in here!

[Kris]

It's not yet online, still beta-version....

When I have it online, I'll put up a link in here!

Okay!
Your CMS is open source too or custom built?

[Mrneo2002]

It's not yet online, still beta-version....

When I have it online, I'll put up a link in here!

Okay!
Your CMS is open source too or custom built?

No it's not open source, custom built... It's for my club.

I don't think people would need it, since there are a lot of CMS. It was more like an exercise for me with a few interesting Reflection parts.  If someone would be interested I could make it (partly) open-source -> but that would recquire some serious clean-up... well it does anyway