C# Authentication Port (port of phpbb_hash)?

Discussion forum for Extension Writers regarding Extension Development.
Post Reply
Demig0d
Registered User
Posts: 65
Joined: Sat Aug 13, 2011 6:18 am

C# Authentication Port (port of phpbb_hash)?

Post by Demig0d » Tue Jun 14, 2016 4:20 am

I've just finished a complete rewrite of my website. It's a a .NET MVC site with completely integrated security with phpbb. The last step was to get my forum (a test copy) upgraded from 3.0.10 to 3.1.9.

I went through all the steps from a fresh 3.0.10 install all the way to 3.1.9. Logged in and was amazed it all worked!

That is until I logged in a 2nd time, through the website, not the forum. No good.

Is the form of authentication used in 3.0.x no longer valid for 3.1?

I had used this code:

viewtopic.php?f=71&t=1771165&start=15

to integrate my site with phpbb, and now I feel I'm back to square 1 with no idea how to move forward.

Can anyone shed some light on what I should be doing to get it working with 3.1? What form of auth is it? Whats with the new hash? How can I emulate it outside of PHP?
Last edited by bonelifer on Tue Jun 14, 2016 5:32 am, edited 1 time in total.
Reason: Moved from 3.1.x Support Forum

Demig0d
Registered User
Posts: 65
Joined: Sat Aug 13, 2011 6:18 am

Re: C# Authentication Port (port of phpbb_hash)?

Post by Demig0d » Tue Jun 14, 2016 11:45 pm

This was actually a LOT easier than I thought it would be once I figured out what kind of hashing 3.1.x was using. If you're using the aforementioned class for logging phpBB based users into your .NET website you can do this:

Install CryptSharp into the project you have the phpBBCryptoServiceProvider class in. Here is the NuGet package:

https://www.nuget.org/packages/CryptSharpOfficial/

Update the phpbbCheckHash method like this:

Code: Select all

        public bool phpbbCheckHash(string password, string hash)
        {
            if (hash.Length == 34) return (hashCryptPrivate(ASCIIEncoding.ASCII.GetBytes(password), hash, itoa64) == hash);
            if (hash.Length == 60)
            {
                string salt = hash.Substring(0, 29);
                if (hash == CryptSharp.BlowfishCrypter.Blowfish.Crypt(password, salt))
                {
                    return true;
                }
            };
            return false;
        }
That's it really. In the first hash.Length (=34) check you should probably create a NEW BCrypt hashed password and save it in place of the older $H$9 hash so your users get their security updated (I believe this is what phpBB does when a user logs in with an old hashed password). As far as being able to compare hashes and log a user into your site this should do it.

Demig0d
Registered User
Posts: 65
Joined: Sat Aug 13, 2011 6:18 am

Re: C# Authentication Port (port of phpbb_hash)?

Post by Demig0d » Tue Jun 14, 2016 11:51 pm

Note: This solved the problem of being able to compare hashes but more updates to the class will/would be needed if you're creating your own hashes for passwords outside of your forum. Should be relatively easy with CryptSharp to add this functionality to the class.

andruszkow
Registered User
Posts: 3
Joined: Tue Oct 04, 2016 1:01 pm

Re: C# Authentication Port (port of phpbb_hash)?

Post by andruszkow » Tue Oct 04, 2016 1:02 pm

Now we just need CryptSharp Official compiled in a .Net Core version :)

Post Reply

Return to “Extension Writers Discussion”