Password Hash

[lotok]

I run a website that shares the database with forums, saves users having two UserIDs etc.

I did a forum upgrade and the password hash seems to have changed. currently using 1.1 RC2 now

I use the same password hash as the forum on my login page so the user just needs to login once. before my upgrade the hash script was

unction md5_hmac($data, $key)

{
   $key = str_pad(strlen($key) <= 64 ? $key : pack('H*', md5($key)), 64, chr(0x00));
   return md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^    str_repeat(chr(0x36), 64)). $data)));
}

Now however, this does not work, is anyone able to tell me what its changed to so i may update the website login page

thanks in advance

regards

Lotok

[laser]

I think SMF now uses MD1.

[lotok]

is there a similar fuction to the one above i can use? Im still learning php at present to develop this site. Dont know much about hashes

[Grudge]

lotok,

May I suggest you search for smf_api.php, to find the version for SMF 1.1 RC2 (It's attached to a post here somewhere). That has some handy functions for verifying passwords without you needing to add the code in yourself.

[laser]

Oops, I should have said SHA-1.

I'm only a PHP newb as well, but this http://www.simplemachines.org/community/index.php?topic=63846.msg441362 and Google might help

[Thantos]

I think SMF now uses MD1.

I think you mean sha1()

The password is stored using using sha1() on the lowercase member name (not display name) appended with the password.  To pull a line of code out:
sha1(strtolower($user_settings['memberName']) . $_REQUEST['passwrd']);

[lotok]

Hmm, im still pretty confused to be honest

Would anyone be able to help about a bit? I know im asking a lot but i really just dont understand the hash thing. Too much of a php noob i suppose.


im my old page i needed to have

Koodi [Valitse] Laajenna


$hash = md5_hmac($pass, strtolower($user));

declared at top.

then in the mysql query i just had

Koodi [Valitse] Laajenna

$query  =  mysql_query ("SELECT COUNT(*) AS numfound FROM smf_members WHERE memberName='$user' AND passwd='$hash");

and finally at bottom i had

Koodi [Valitse] Laajenna


function md5_hmac($data, $key)
{
$key = str_pad(strlen($key) <= 64 ? $key : pack('H*', md5($key)), 64, chr(0x00));
return md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^ str_repeat(chr(0x36), 64)). $data)));
}



Now it seems way more complex. Sorry to be a pain but would someone be kind enough to help me out and explain a but what i need to do? I searched the other threads but am no better off.

[Thantos]

replace

Koodi [Valitse] Laajenna

$hash = md5_hmac($pass, strtolower($user));
with

Koodi [Valitse] Laajenna

$hash = sha1(strtolower($user).$pass);

[lotok]

I have tried, it wont work because the code

Koodi [Valitse] Laajenna

$hash = md5_hmac($pass, strtolower($user));
only works becuase of this function

Koodi [Valitse] Laajenna


function md5_hmac($data, $key)
{
$key = str_pad(strlen($key) <= 64 ? $key : pack('H*', md5($key)), 64, chr(0x00));
return md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^ str_repeat(chr(0x36), 64)). $data)));
}

for it work i would need to replace that function with one that works for  sha1

also wouldnt the password salt need to be considered?

[lotok]

I  tried it, i even used smf_api.php as an include incase the fucntion is declared in there

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/stutter/public_html/TDL/user_login.php on line 10

basically saying im not returning anything


here is script code, works with old hash  (1.0.5 forum)  changed for new one and included the smf_api as shown.

Koodi [Valitse] Laajenna


<?php
include('config.php');
include('../TDLforum/smf_api.php');

$user = $_POST['memberName'];
$pass = $_POST['passwd'];
$hash = sha1(strtolower($user).$pass);

$query  =  mysql_query('SELECT COUNT (*) AS numfound FROM smf_members WHERE memberName=$user AND passwd=$hash');
$result = mysql_fetch_array($query);
if ($result['numfound'] <1) // Login failed
{
unset($_SESSION['user1']);
$_SESSION['user1'] = $user;
header('location:login.php');
exit;
}
else
{

$_SESSION['user'] = $user;
$_SESSION['loggedin'] = "1";
header('location:index.php');
}
?>

[lotok]

no worries


sorted it