当前位置: 文江博客话题详情

根据 PhPbb 数据库对用户进行身份验证

发布于 2024-10-18 23:55:18 字数 819 浏览 1 评论 0原文

最近我开始实现一个解决方案,该解决方案将使用 PhPbb 数据库进行表单授权,我使用了以下线程中的类:

PhPbb C# 身份验证端口

所以我在 'ValidateUser' 函数中使用此类编写了一个会员提供程序:

public override bool ValidateUser(string username, string password)
    {
        ForumsDataContext db = Root.ForumsDataContext;
        PhPbbCryptoServiceProvider phpbbCrypt = new PhPbbCryptoServiceProvider();
        string remoteHash = db.Users.Where(u => u.UserName == username).FirstOrDefault().UserPassword;
        if (String.IsNullOrEmpty(remoteHash))
            return false;
        return phpbbCrypt.phpbbCheckHash(password, remoteHash);
    }

但是,这总是返回 false,因为 'phpbbCrypt.phpbbCheckHash' 返回 false我对 PhPbb 的了解还不够,无法确定哈希值不匹配的原因。

有什么建议吗?

原文

Recently I have started implementing a solution which will use a PhPbb database for forms authorization, I have used the class from this below thread:

PhPbb C# Authentication Port

So i wrote a membership provider using this class in the 'ValidateUser' function:

public override bool ValidateUser(string username, string password)
    {
        ForumsDataContext db = Root.ForumsDataContext;
        PhPbbCryptoServiceProvider phpbbCrypt = new PhPbbCryptoServiceProvider();
        string remoteHash = db.Users.Where(u => u.UserName == username).FirstOrDefault().UserPassword;
        if (String.IsNullOrEmpty(remoteHash))
            return false;
        return phpbbCrypt.phpbbCheckHash(password, remoteHash);
    }

However this always returns false as the 'phpbbCrypt.phpbbCheckHash' returns false and I do not know enough about PhPbb to determine why the hashes are not matching up.

Any sugestions?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

<逆流佳人身旁 2024-10-25 23:55:18

如果您从 2.0 升级了 phpbb 安装,则密码哈希函数会有所不同。我从 phpbb 中的functions.php 中获取了这个片段(参见: GitHub) 这是整个密码检查和哈希函数,最后有一点输出 phpbb 哈希密码。

<?php
  function _hash_encode64($input, $count, &$itoa64)
  {
      $output = '';
      $i = 0;

      do {
          $value = ord($input[$i++]);
          $output .= $itoa64[$value & 0x3f];

          if ($i < $count) {
              $value |= ord($input[$i]) << 8;
          }

          $output .= $itoa64[($value >> 6) & 0x3f];

          if ($i++ >= $count) {
              break;
          }

          if ($i < $count) {
              $value |= ord($input[$i]) << 16;
          }

          $output .= $itoa64[($value >> 12) & 0x3f];

          if ($i++ >= $count) {
              break;
          }

          $output .= $itoa64[($value >> 18) & 0x3f];
      } while ($i < $count);

      return $output;
  }
  function _hash_crypt_private($password, $setting, &$itoa64)
  {
      $output = '*';

      // Check for correct hash
      if (substr($setting, 0, 3) != '$H

这里重要的一点是它不是直接的 MD5。我从 OP 提供的链接中获取了 C# 类,并制作了这个测试类。


[TestFixture]
public class phpBBHashTestFixture
{
    [Test]
    public void TestCanVerifyPhpBBPassword()
    {
        var cryptoService = new phpBBCryptoServiceProvider();
        Assert.That(cryptoService.phpbbCheckHash("a", "$H$9AE1X.4z5hqGj/RVdvzuYjxsJdMeFs."), Is.True);
        Assert.That(cryptoService.phpbbCheckHash("q1w2e3", "$H$9uAiKWrdcDomn7FEqujoPLYuBXvkzV0"), Is.True);
    }
}



这是 OP 问题中的类的修改副本。这将检查旧密码,这些密码只是不加盐的明文密码的 MD5 哈希值,并且我还添加了允许的前缀“$P$”。


/// <summary>
///   Computes the phpBB/SubMD5 hash value for the input data using the implementation provided by http://openwall.com/phpass/ modified by http://www.phpbb.com/.
/// </summary>
/// <remarks>
///   Ported by Ryan Irecki
///   Website: http://www.digilitepc.net/
///   E-mail: [email protected]
/// </remarks>
public class phpBBCryptoServiceProvider
{
    /// <summary>
    ///   The encryption string base.
    /// </summary>
    private string itoa64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

    /// <summary>
    ///   Compares the password string given with the hash retrieved from your database.
    /// </summary>
    /// <param name = "password">Plaintext password.</param>
    /// <param name = "hash">Hash from a SQL database</param>
    /// <returns>True if the password is correct, False otherwise.</returns>
    public bool phpbbCheckHash(string password, string hash)
    {
        if (hash.Length == 34)
        {
            return (this.hashCryptPrivate(Encoding.ASCII.GetBytes(password), hash, this.itoa64) == hash);
        }

        return this.sMD5(password, false) == hash.ToUpper();
    }

    /// <summary>
    ///   This function will return the resulting hash from the password string you specify.
    /// </summary>
    /// <param name = "password">String to hash.</param>
    /// <returns>Encrypted hash.</returns>
    /// <remarks>
    ///   Although this will return the md5 for an older password, I have not added
    ///   support for older passwords, so they will not work with this class unless
    ///   I or someone else updates it.
    /// </remarks>
    public string phpbb_hash(string password)
    {
        // Generate a random string from a random number with the length of 6.
        // You could use a static string instead, doesn't matter. E.g.
        // byte[] random = ASCIIEncoding.ASCII.GetBytes("abc123");
        var random = Encoding.ASCII.GetBytes(new Random().Next(100000, 999999).ToString());

        var hash = this.hashCryptPrivate(Encoding.ASCII.GetBytes(password), this.hashGensaltPrivate(random, this.itoa64), this.itoa64);

        if (hash.Length == 34)
        {
            return hash;
        }

        return this.sMD5(password);
    }

    /// <summary>
    ///   The workhorse that encrypts your hash.
    /// </summary>
    /// <param name = "password">String to be encrypted. Use: ASCIIEncoding.ASCII.GetBytes();</param>
    /// <param name = "genSalt">Generated salt.</param>
    /// <param name = "itoa64">The itoa64 string.</param>
    /// <returns>The encrypted hash ready to be compared.</returns>
    /// <remarks>
    ///   password:  Saves conversion inside the function, lazy coding really.
    ///   genSalt:   Returns from hashGensaltPrivate(random, itoa64);
    ///   return:    Compare with phpbbCheckHash(password, hash)
    /// </remarks>
    private string hashCryptPrivate(byte[] password, string genSalt, string itoa64)
    {
        var output = "*";
        var md5 = new MD5CryptoServiceProvider();
        if (!(genSalt.StartsWith("$H$") || genSalt.StartsWith("$P$")))
        {
            return output;
        }
        //   $count_log2 = strpos($itoa64, $setting[3]);
        var count_log2 = itoa64.IndexOf(genSalt[3]);
        if (count_log2 < 7 || count_log2 > 30)
        {
            return output;
        }

        var count = 1 << count_log2;
        var salt = Encoding.ASCII.GetBytes(genSalt.Substring(4, 8));

        if (salt.Length != 8)
        {
            return output;
        }

        var hash = md5.ComputeHash(this.Combine(salt, password));

        do
        {
            hash = md5.ComputeHash(this.Combine(hash, password));
        } while (count-- > 1);

        output = genSalt.Substring(0, 12);
        output += this.hashEncode64(hash, 16, itoa64);

        return output;
    }

    /// <summary>
    ///   Private function to concat byte arrays.
    /// </summary>
    /// <param name = "b1">Source array.</param>
    /// <param name = "b2">Array to add to the source array.</param>
    /// <returns>Combined byte array.</returns>
    private byte[] Combine(byte[] b1, byte[] b2)
    {
        var retVal = new byte[b1.Length + b2.Length];
        Array.Copy(b1, 0, retVal, 0, b1.Length);
        Array.Copy(b2, 0, retVal, b1.Length, b2.Length);
        return retVal;
    }

    /// <summary>
    ///   Encode the hash.
    /// </summary>
    /// <param name = "input">The hash to encode.</param>
    /// <param name = "count">[This parameter needs documentation].</param>
    /// <param name = "itoa64">The itoa64 string.</param>
    /// <returns>Encoded hash.</returns>
    private string hashEncode64(byte[] input, int count, string itoa64)
    {
        var output = "";
        var i = 0;
        var value = 0;

        do
        {
            value = input[i++];
            output += itoa64[value & 0x3f];

            if (i < count)
            {
                value |= input[i] << 8;
            }
            output += itoa64[(value >> 6) & 0x3f];
            if (i++ >= count)
            {
                break;
            }

            if (i < count)
            {
                value |= input[i] << 16;
            }
            output += itoa64[(value >> 12) & 0x3f];
            if (i++ >= count)
            {
                break;
            }

            output += itoa64[(value >> 18) & 0x3f];
        } while (i < count);

        return output;
    }

    /// <summary>
    ///   Generate salt for hash generation.
    /// </summary>
    /// <param name = "input">Any random information.</param>
    /// <param name = "itoa64">The itoa64 string.</param>
    /// <returns>Generated salt string</returns>
    private string hashGensaltPrivate(byte[] input, string itoa64)
    {
        var iteration_count_log2 = 6;

        var output = "$H$";
        output += itoa64[Math.Min(iteration_count_log2 + 5, 30)];
        output += this.hashEncode64(input, 6, itoa64);

        return output;
    }

    /// <summary>
    ///   Returns a hexadecimal string representation for the encrypted MD5 parameter.
    /// </summary>
    /// <param name = "password">String to be encrypted.</param>
    /// <returns>String</returns>
    private string sMD5(string password)
    {
        return this.sMD5(password, false);
    }

    /// <summary>
    ///   Returns a hexadecimal string representation for the encrypted MD5 parameter.
    /// </summary>
    /// <param name = "password">String to be encrypted.</param>
    /// <param name = "raw">Whether or not to produce a raw string.</param>
    /// <returns>String</returns>
    private string sMD5(string password, bool raw)
    {
        var md5 = new MD5CryptoServiceProvider();
        if (raw)
        {
            return Encoding.ASCII.GetString(md5.ComputeHash(Encoding.ASCII.GetBytes(password)));
        }
        else
        {
            return BitConverter.ToString(md5.ComputeHash(Encoding.ASCII.GetBytes(password))).Replace("-", "");
        }
    }
}


 && substr($setting, 0, 3) != '$P

这里重要的一点是它不是直接的 MD5。我从 OP 提供的链接中获取了 C# 类,并制作了这个测试类。




这是 OP 问题中的类的修改副本。这将检查旧密码,这些密码只是不加盐的明文密码的 MD5 哈希值,并且我还添加了允许的前缀“$P$”。



) {
          return $output;
      }

      $count_log2 = strpos($itoa64, $setting[3]);

      if ($count_log2 < 7 || $count_log2 > 30) {
          return $output;
      }

      $count = 1 << $count_log2;
      $salt = substr($setting, 4, 8);

      if (strlen($salt) != 8) {
          return $output;
      }

      /**
       * We're kind of forced to use MD5 here since it's the only
       * cryptographic primitive available in all versions of PHP
       * currently in use.  To implement our own low-level crypto
       * in PHP would result in much worse performance and
       * consequently in lower iteration counts and hashes that are
       * quicker to crack (by non-PHP code).
       */
      $hash = md5($salt . $password, true);
      do {
          $hash = md5($hash . $password, true);
      } while (--$count);

      $output = substr($setting, 0, 12);
      $output .= _hash_encode64($hash, 16, $itoa64);

      return $output;
  }

  function phpbb_hash($password)
  {
      $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

      $random_state = unique_id();
      $random = '';
      $count = 6;

      if (($fh = @fopen('/dev/urandom', 'rb'))) {
          $random = fread($fh, $count);
          fclose($fh);
      }

      if (strlen($random) < $count) {
          $random = '';

          for ($i = 0; $i < $count; $i += 16) {
              $random_state = md5(unique_id() . $random_state);
              $random .= pack('H*', md5($random_state));
          }
          $random = substr($random, 0, $count);
      }

      $hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

      if (strlen($hash) == 34) {
          return $hash;
      }

      return md5($password);
  }
  /**
   * * Generate salt for hash generation
   * */
  function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
  {
      if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) {
          $iteration_count_log2 = 8;
      }

      $output = '$H

这里重要的一点是它不是直接的 MD5。我从 OP 提供的链接中获取了 C# 类,并制作了这个测试类。




这是 OP 问题中的类的修改副本。这将检查旧密码,这些密码只是不加盐的明文密码的 MD5 哈希值,并且我还添加了允许的前缀“$P$”。



;
      $output .= $itoa64[min($iteration_count_log2 + 5, 30)];
      $output .= _hash_encode64($input, 6, $itoa64);

      return $output;
  }
  /**
   * * Return unique id
   * * @param string $extra additional entropy
   * */
  function unique_id($extra = 'c')
  {
      static $dss_seeded = false;
      global $config;

      $val = $config['rand_seed'] . microtime();
      $val = md5($val);
      $config['rand_seed'] = md5($config['rand_seed'] . $val . $extra);
      return substr($val, 4, 16);
  }
  function phpbb_check_hash($password, $hash)
  {
      $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
      if (strlen($hash) == 34) {
          return(_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
      }

      return(md5($password) === $hash) ? true : false;
  }
  $toHash = "";
  if (!empty($argc) && $argc >= 2) {
      $toHash = $argv[1];
  }
  $hashed = phpbb_hash("a");
  //To Check: $checked2 = phpbb_check_hash("q1w2e3", '$H$9uAiKWrdcDomn7FEqujoPLYuBXvkzV0');
  echo "Hashing password '" . $toHash . "'\n";
  echo "Hash: " . $hashed . "\n";
  echo "Hash (MD5): " . md5($toHash) . "\n";
?>

这里重要的一点是它不是直接的 MD5。我从 OP 提供的链接中获取了 C# 类,并制作了这个测试类。
这是 OP 问题中的类的修改副本。这将检查旧密码,这些密码只是不加盐的明文密码的 MD5 哈希值,并且我还添加了允许的前缀“$P$”。
If you upgraded your phpbb install from 2.0 the password hashing function is different. I took this snippet from functions.php in phpbb (See: GitHub) this is the entire password checking and hashing functions with a little bit at the end to output a phpbb hashed password.
<?php
  function _hash_encode64($input, $count, &$itoa64)
  {
      $output = '';
      $i = 0;

      do {
          $value = ord($input[$i++]);
          $output .= $itoa64[$value & 0x3f];

          if ($i < $count) {
              $value |= ord($input[$i]) << 8;
          }

          $output .= $itoa64[($value >> 6) & 0x3f];

          if ($i++ >= $count) {
              break;
          }

          if ($i < $count) {
              $value |= ord($input[$i]) << 16;
          }

          $output .= $itoa64[($value >> 12) & 0x3f];

          if ($i++ >= $count) {
              break;
          }

          $output .= $itoa64[($value >> 18) & 0x3f];
      } while ($i < $count);

      return $output;
  }
  function _hash_crypt_private($password, $setting, &$itoa64)
  {
      $output = '*';

      // Check for correct hash
      if (substr($setting, 0, 3) != '$H

Important part here is that it isn't a straight MD5.  I took the C# class from the link the OP provided and made this test class.  


[TestFixture]
public class phpBBHashTestFixture
{
    [Test]
    public void TestCanVerifyPhpBBPassword()
    {
        var cryptoService = new phpBBCryptoServiceProvider();
        Assert.That(cryptoService.phpbbCheckHash("a", "$H$9AE1X.4z5hqGj/RVdvzuYjxsJdMeFs."), Is.True);
        Assert.That(cryptoService.phpbbCheckHash("q1w2e3", "$H$9uAiKWrdcDomn7FEqujoPLYuBXvkzV0"), Is.True);
    }
}



This is a modified copy of the class in the OP question.  This will check older passwords which were just an MD5 hash of the plaintext password without a salt and i also added in the prefix "$P$" to be allowed.


/// <summary>
///   Computes the phpBB/SubMD5 hash value for the input data using the implementation provided by http://openwall.com/phpass/ modified by http://www.phpbb.com/.
/// </summary>
/// <remarks>
///   Ported by Ryan Irecki
///   Website: http://www.digilitepc.net/
///   E-mail: [email protected]
/// </remarks>
public class phpBBCryptoServiceProvider
{
    /// <summary>
    ///   The encryption string base.
    /// </summary>
    private string itoa64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

    /// <summary>
    ///   Compares the password string given with the hash retrieved from your database.
    /// </summary>
    /// <param name = "password">Plaintext password.</param>
    /// <param name = "hash">Hash from a SQL database</param>
    /// <returns>True if the password is correct, False otherwise.</returns>
    public bool phpbbCheckHash(string password, string hash)
    {
        if (hash.Length == 34)
        {
            return (this.hashCryptPrivate(Encoding.ASCII.GetBytes(password), hash, this.itoa64) == hash);
        }

        return this.sMD5(password, false) == hash.ToUpper();
    }

    /// <summary>
    ///   This function will return the resulting hash from the password string you specify.
    /// </summary>
    /// <param name = "password">String to hash.</param>
    /// <returns>Encrypted hash.</returns>
    /// <remarks>
    ///   Although this will return the md5 for an older password, I have not added
    ///   support for older passwords, so they will not work with this class unless
    ///   I or someone else updates it.
    /// </remarks>
    public string phpbb_hash(string password)
    {
        // Generate a random string from a random number with the length of 6.
        // You could use a static string instead, doesn't matter. E.g.
        // byte[] random = ASCIIEncoding.ASCII.GetBytes("abc123");
        var random = Encoding.ASCII.GetBytes(new Random().Next(100000, 999999).ToString());

        var hash = this.hashCryptPrivate(Encoding.ASCII.GetBytes(password), this.hashGensaltPrivate(random, this.itoa64), this.itoa64);

        if (hash.Length == 34)
        {
            return hash;
        }

        return this.sMD5(password);
    }

    /// <summary>
    ///   The workhorse that encrypts your hash.
    /// </summary>
    /// <param name = "password">String to be encrypted. Use: ASCIIEncoding.ASCII.GetBytes();</param>
    /// <param name = "genSalt">Generated salt.</param>
    /// <param name = "itoa64">The itoa64 string.</param>
    /// <returns>The encrypted hash ready to be compared.</returns>
    /// <remarks>
    ///   password:  Saves conversion inside the function, lazy coding really.
    ///   genSalt:   Returns from hashGensaltPrivate(random, itoa64);
    ///   return:    Compare with phpbbCheckHash(password, hash)
    /// </remarks>
    private string hashCryptPrivate(byte[] password, string genSalt, string itoa64)
    {
        var output = "*";
        var md5 = new MD5CryptoServiceProvider();
        if (!(genSalt.StartsWith("$H$") || genSalt.StartsWith("$P$")))
        {
            return output;
        }
        //   $count_log2 = strpos($itoa64, $setting[3]);
        var count_log2 = itoa64.IndexOf(genSalt[3]);
        if (count_log2 < 7 || count_log2 > 30)
        {
            return output;
        }

        var count = 1 << count_log2;
        var salt = Encoding.ASCII.GetBytes(genSalt.Substring(4, 8));

        if (salt.Length != 8)
        {
            return output;
        }

        var hash = md5.ComputeHash(this.Combine(salt, password));

        do
        {
            hash = md5.ComputeHash(this.Combine(hash, password));
        } while (count-- > 1);

        output = genSalt.Substring(0, 12);
        output += this.hashEncode64(hash, 16, itoa64);

        return output;
    }

    /// <summary>
    ///   Private function to concat byte arrays.
    /// </summary>
    /// <param name = "b1">Source array.</param>
    /// <param name = "b2">Array to add to the source array.</param>
    /// <returns>Combined byte array.</returns>
    private byte[] Combine(byte[] b1, byte[] b2)
    {
        var retVal = new byte[b1.Length + b2.Length];
        Array.Copy(b1, 0, retVal, 0, b1.Length);
        Array.Copy(b2, 0, retVal, b1.Length, b2.Length);
        return retVal;
    }

    /// <summary>
    ///   Encode the hash.
    /// </summary>
    /// <param name = "input">The hash to encode.</param>
    /// <param name = "count">[This parameter needs documentation].</param>
    /// <param name = "itoa64">The itoa64 string.</param>
    /// <returns>Encoded hash.</returns>
    private string hashEncode64(byte[] input, int count, string itoa64)
    {
        var output = "";
        var i = 0;
        var value = 0;

        do
        {
            value = input[i++];
            output += itoa64[value & 0x3f];

            if (i < count)
            {
                value |= input[i] << 8;
            }
            output += itoa64[(value >> 6) & 0x3f];
            if (i++ >= count)
            {
                break;
            }

            if (i < count)
            {
                value |= input[i] << 16;
            }
            output += itoa64[(value >> 12) & 0x3f];
            if (i++ >= count)
            {
                break;
            }

            output += itoa64[(value >> 18) & 0x3f];
        } while (i < count);

        return output;
    }

    /// <summary>
    ///   Generate salt for hash generation.
    /// </summary>
    /// <param name = "input">Any random information.</param>
    /// <param name = "itoa64">The itoa64 string.</param>
    /// <returns>Generated salt string</returns>
    private string hashGensaltPrivate(byte[] input, string itoa64)
    {
        var iteration_count_log2 = 6;

        var output = "$H$";
        output += itoa64[Math.Min(iteration_count_log2 + 5, 30)];
        output += this.hashEncode64(input, 6, itoa64);

        return output;
    }

    /// <summary>
    ///   Returns a hexadecimal string representation for the encrypted MD5 parameter.
    /// </summary>
    /// <param name = "password">String to be encrypted.</param>
    /// <returns>String</returns>
    private string sMD5(string password)
    {
        return this.sMD5(password, false);
    }

    /// <summary>
    ///   Returns a hexadecimal string representation for the encrypted MD5 parameter.
    /// </summary>
    /// <param name = "password">String to be encrypted.</param>
    /// <param name = "raw">Whether or not to produce a raw string.</param>
    /// <returns>String</returns>
    private string sMD5(string password, bool raw)
    {
        var md5 = new MD5CryptoServiceProvider();
        if (raw)
        {
            return Encoding.ASCII.GetString(md5.ComputeHash(Encoding.ASCII.GetBytes(password)));
        }
        else
        {
            return BitConverter.ToString(md5.ComputeHash(Encoding.ASCII.GetBytes(password))).Replace("-", "");
        }
    }
}


 && substr($setting, 0, 3) != '$P

Important part here is that it isn't a straight MD5.  I took the C# class from the link the OP provided and made this test class.  




This is a modified copy of the class in the OP question.  This will check older passwords which were just an MD5 hash of the plaintext password without a salt and i also added in the prefix "$P$" to be allowed.



) {
          return $output;
      }

      $count_log2 = strpos($itoa64, $setting[3]);

      if ($count_log2 < 7 || $count_log2 > 30) {
          return $output;
      }

      $count = 1 << $count_log2;
      $salt = substr($setting, 4, 8);

      if (strlen($salt) != 8) {
          return $output;
      }

      /**
       * We're kind of forced to use MD5 here since it's the only
       * cryptographic primitive available in all versions of PHP
       * currently in use.  To implement our own low-level crypto
       * in PHP would result in much worse performance and
       * consequently in lower iteration counts and hashes that are
       * quicker to crack (by non-PHP code).
       */
      $hash = md5($salt . $password, true);
      do {
          $hash = md5($hash . $password, true);
      } while (--$count);

      $output = substr($setting, 0, 12);
      $output .= _hash_encode64($hash, 16, $itoa64);

      return $output;
  }

  function phpbb_hash($password)
  {
      $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

      $random_state = unique_id();
      $random = '';
      $count = 6;

      if (($fh = @fopen('/dev/urandom', 'rb'))) {
          $random = fread($fh, $count);
          fclose($fh);
      }

      if (strlen($random) < $count) {
          $random = '';

          for ($i = 0; $i < $count; $i += 16) {
              $random_state = md5(unique_id() . $random_state);
              $random .= pack('H*', md5($random_state));
          }
          $random = substr($random, 0, $count);
      }

      $hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

      if (strlen($hash) == 34) {
          return $hash;
      }

      return md5($password);
  }
  /**
   * * Generate salt for hash generation
   * */
  function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
  {
      if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) {
          $iteration_count_log2 = 8;
      }

      $output = '$H

Important part here is that it isn't a straight MD5.  I took the C# class from the link the OP provided and made this test class.  




This is a modified copy of the class in the OP question.  This will check older passwords which were just an MD5 hash of the plaintext password without a salt and i also added in the prefix "$P$" to be allowed.



;
      $output .= $itoa64[min($iteration_count_log2 + 5, 30)];
      $output .= _hash_encode64($input, 6, $itoa64);

      return $output;
  }
  /**
   * * Return unique id
   * * @param string $extra additional entropy
   * */
  function unique_id($extra = 'c')
  {
      static $dss_seeded = false;
      global $config;

      $val = $config['rand_seed'] . microtime();
      $val = md5($val);
      $config['rand_seed'] = md5($config['rand_seed'] . $val . $extra);
      return substr($val, 4, 16);
  }
  function phpbb_check_hash($password, $hash)
  {
      $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
      if (strlen($hash) == 34) {
          return(_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
      }

      return(md5($password) === $hash) ? true : false;
  }
  $toHash = "";
  if (!empty($argc) && $argc >= 2) {
      $toHash = $argv[1];
  }
  $hashed = phpbb_hash("a");
  //To Check: $checked2 = phpbb_check_hash("q1w2e3", '$H$9uAiKWrdcDomn7FEqujoPLYuBXvkzV0');
  echo "Hashing password '" . $toHash . "'\n";
  echo "Hash: " . $hashed . "\n";
  echo "Hash (MD5): " . md5($toHash) . "\n";
?>

Important part here is that it isn't a straight MD5. I took the C# class from the link the OP provided and made this test class.
This is a modified copy of the class in the OP question. This will check older passwords which were just an MD5 hash of the plaintext password without a salt and i also added in the prefix "$P$" to be allowed.
 回复 原文 
~没有更多了~
关于作者
 多彩岁月
暂无简介
0 文章
0 评论
587 人气
 发私信
相关话题
更多 
热门标签
操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多 
推荐作者
linfzu01
文章 0 评论 0
§对你不离不弃
文章 0 评论 0
可遇━不可求
文章 0 评论 0
枕梦
文章 0 评论 0
qq_3LFa8Q
文章 0 评论 0
JP
文章 0 评论 0
更多 
友情链接
文江博客
       
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
     
    原文