Using phpBB to not only authenticate a user but also re-hash legacy hash types

[JustChise]

So I found this old topic about someone using phpBB's password manager to authenticate logins outside of the phpBB forum --- viewtopic.php?t=2441361. I was able to get this work but it was my understanding based on the code in manager.php that if the password hash was not bcrypt, it would also be re-hased to bcrypt when I used this function. That does not seem to be the case tho so my question is in addition to using the password manager to authenticate the user, what is the best way to also make sure it re-hashes the password with bcrypt at the same time as well? My current code is below and while I found in phpbb/auth/provider/db.php where it also does the rehash upon login, I'm not sure if that's the best way to do this as I don't want to also log the person into the forum when I verify the password.

Code: Select all

	define("IN_PHPBB", true);
	$phpbb_root_path = (defined("PHPBB_ROOT_PATH")) ? PHPBB_ROOT_PATH : "./forum/";
	$phpEx = substr(strrchr(__FILE__, "."), 1);
	include($phpbb_root_path . "common." . $phpEx);

	$config = new \phpbb\config\config(array());
	$passwords_helper = new \phpbb\passwords\helper($config);
	$passwords_driver_helper = new \phpbb\passwords\driver\helper($config);
	$passwords_drivers = array(
		'passwords.driver.bcrypt_2y'		=> new \phpbb\passwords\driver\bcrypt_2y($config, $passwords_driver_helper, 10),
		'passwords.driver.bcrypt'		=> new \phpbb\passwords\driver\bcrypt($config, $passwords_driver_helper, 10),
		'passwords.driver.salted_md5'		=> new \phpbb\passwords\driver\salted_md5($config, $passwords_driver_helper),
		'passwords.driver.phpass'		=> new \phpbb\passwords\driver\phpass($config, $passwords_driver_helper),
		'passwords.driver.convert_password'	=> new \phpbb\passwords\driver\convert_password($config, $passwords_driver_helper),
		'passwords.driver.sha1_smf'		=> new \phpbb\passwords\driver\sha1_smf($config, $passwords_driver_helper),
		'passwords.driver.sha1'			=> new \phpbb\passwords\driver\sha1($config, $passwords_driver_helper),
		'passwords.driver.sha1_wcf1'		=> new \phpbb\passwords\driver\sha1_wcf1($config, $passwords_driver_helper),
		'passwords.driver.md5_mybb'		=> new \phpbb\passwords\driver\md5_mybb($config, $passwords_driver_helper),
		'passwords.driver.md5_vb'		=> new \phpbb\passwords\driver\md5_vb($config, $passwords_driver_helper),
		'passwords.driver.sha_xf1'	=> new \phpbb\passwords\driver\sha_xf1($config, $passwords_driver_helper),
	);
	
	$passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers));
	
	$correct_password = $passwords_manager->check($userpass, $dbhash, $row);

	if ($correct_password) {
		echo "Password verified!";
	} else {
		echo "Password incorrect! Please go back and try again.";
	}

Support Request Template
What version of phpBB are you using? phpBB 3.2.5
What is your board's URL? http://www.stablewars.com/forum
Who do you host your board with? Go Daddy
How did you install your board? I used the automatic download package from phpBB.com
What is the most recent action performed on your board? Update from a previous version of phpBB3.2
Is registration required to reproduce this issue? N/A
Do you have any MODs installed? No
What version of phpBB3 did you update from? N/A
What styles do you currently have installed? prosilver and a few others
What language(s) is your board currently using? English
Which database type/version are you using? MySQL 5
What is your level of experience? Not new to phpBB nor PHP
What username can be used to view this issue? No answer given
What password can be used to view this issue? No answer given
When did your problem begin? Not a problem per say...
Please describe your problem. See description of question above...
Generated by SRT Generator

[3Di]

There is a cron job which does that automatically.

Code: Select all

/**
 * Update old hashes to the current default hashing algorithm
 *
 * It is intended to gradually update all "old" style hashes to the
 * current default hashing algorithm.
 */
class update_hashes extends \phpbb\cron\task\base

[JustChise]

Is there something I need to do to enable that cron job to run? I ask because there are tons of users in my DB that still have the $H\ ones whereas users that have logged in since the 3.1 upgrade have the $2y one.

[3Di]

See https://wiki.phpbb.com/PhpBB3.1/RFC/Mod ... ystem_cron

Such cron job updates those hashes in steps of 20.

Code: Select all

$result = $this->db->sql_query_limit($sql, 20);

[JustChise]

Thanks for the info. I think I got that cron job running but I don't think it's actually doing anything. Also, looking at the code of update_hashes.php itself, it seems to be looking for hashes that start like $H$ or $CP$, neither of which the older ones in my DB do (they start with $H\2y). So I'm not sure that cron job will do what I'm looking for. Is there another option to get the $H\2y to be re-hashed like the newer ones are ($2y)?

[3Di]

Those are already re-hashed to begin with, try changing the code to

Code: Select all

			$sql = 'SELECT user_id, user_password
				FROM ' . USERS_TABLE . '
				WHERE user_password ' . $this->db->sql_like_expression('$H\2y' . $this->db->get_any_char());
			$result = $this->db->sql_query_limit($sql, 20);

Make a backup first, you are on your own.

[JustChise]

I've got the cron job running, changed that file, but still doesn't re-hash those passwords. When you say they are already re-hashed, why would they be changed upon login then though? I guess that's part of what I don't get as if they were re-hashed, why not to the 2y format with the 10 passes as opposed to the 7? Unless it was just something that got re-hashed in another upgrade is what you mean.

Anyhow, ultimately I think I'm going to have to either create something to manually check the hashes that begin with the H\ and re-hash them like it does in the phpbb/auth/provider/db.php or at least have it do that for people that enter registrations outside phpbb with their forum account to do it there when they do.

One last question while I ponder the above approaches: is there any function or functions within one of these files that both checks the password and then re-hashes the password if necessary? If not, I figure clipping something like this below from db.php will do the trick...

Code: Select all

		// Check password ...
		if ($this->passwords_manager->check($password, $row['user_password'], $row))
		{
			// Check for old password hash...
			if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32)
			{
				$hash = $this->passwords_manager->hash($password);

				// Update the password in the users table to the new format
				$sql = 'UPDATE ' . USERS_TABLE . "
					SET user_password = '" . $this->db->sql_escape($hash) . "'
					WHERE user_id = {$row['user_id']}";
				$this->db->sql_query($sql);

				$row['user_password'] = $hash;
			}
		}