Tema: Para los GENIOS, problema al logear con encriptacion SHA-1 de SMF
Ver Mensaje Individual
  #1 (permalink)  
Antiguo 16/07/2011, 21:17
XtremeBook
 
Fecha de Ingreso: julio-2010
Mensajes: 90
Antigüedad: 13 años, 9 meses
Puntos: 0
Para los GENIOS, problema al logear con encriptacion SHA-1 de SMF
hola amigos estoy haciendo una web en la que quiero usar la misma BD de mi foro SMF, estoy usando el foro SMF 2.0 que por lo que he podido ver, para almacenar las contraseñas usa una encriptacion SHA-1 de usuario y password osea algo asi:

sha1($usuario.password);

mi problema es que no se como hacer un sistema de logeo y que de alguna forma la contraseña que incluyan en el campo password del formulario se compare con la de la base de datos que esta cifrada y sepa si es correcta o no, aquí les dejo el fichero de encriptacion o login de smf:

Código PHP: 
Ver original
  1. <?php
  2.     // Figure out the password using SMF's encryption - if what they typed is right.
  3.     if (isset($_POST['hash_passwrd']) && strlen($_POST['hash_passwrd']) == 40)
  4.     {
  5.         // Needs upgrading?
  6.         if (strlen($user_settings['passwd']) != 40)
  7.         {
  8.             $context['login_errors'] = array($txt['login_hash_error']);
  9.             $context['disable_login_hashing'] = true;
  10.             unset($user_settings);
  11.             return;
  12.         }
  13.         // Challenge passed.
  14.         elseif ($_POST['hash_passwrd'] == sha1($user_settings['passwd'] . $sc))
  15.             $sha_passwd = $user_settings['passwd'];
  16.         else
  17.         {
  18.             // Don't allow this!
  19.             validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood']);
  20.  
  21.             $_SESSION['failed_login'] = @$_SESSION['failed_login'] + 1;
  22.  
  23.             if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold'])
  24.                 redirectexit('action=reminder');
  25.             else
  26.             {
  27.                 log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
  28.  
  29.                 $context['disable_login_hashing'] = true;
  30.                 $context['login_errors'] = array($txt['incorrect_password']);
  31.                 unset($user_settings);
  32.                 return;
  33.             }
  34.         }
  35.     }
  36.     else
  37.         $sha_passwd = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
  38.  
  39.     // Bad password!  Thought you could fool the database?!
  40.     if ($user_settings['passwd'] != $sha_passwd)
  41.     {
  42.         // Let's be cautious, no hacking please. thanx.
  43.         validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood']);
  44.  
  45.         // Maybe we were too hasty... let's try some other authentication methods.
  46.         $other_passwords = array();
  47.  
  48.         // None of the below cases will be used most of the time (because the salt is normally set.)
  49.         if ($user_settings['password_salt'] == '')
  50.         {
  51.             // YaBB SE, Discus, MD5 (used a lot), SHA-1 (used some), SMF 1.0.x, IkonBoard, and none at all.
  52.             $other_passwords[] = crypt($_POST['passwrd'], substr($_POST['passwrd'], 0, 2));
  53.             $other_passwords[] = crypt($_POST['passwrd'], substr($user_settings['passwd'], 0, 2));
  54.             $other_passwords[] = md5($_POST['passwrd']);
  55.             $other_passwords[] = sha1($_POST['passwrd']);
  56.             $other_passwords[] = md5_hmac($_POST['passwrd'], strtolower($user_settings['member_name']));
  57.             $other_passwords[] = md5($_POST['passwrd'] . strtolower($user_settings['member_name']));
  58.             $other_passwords[] = md5(md5($_POST['passwrd']));
  59.             $other_passwords[] = $_POST['passwrd'];
  60.  
  61.             // This one is a strange one... MyPHP, crypt() on the MD5 hash.
  62.             $other_passwords[] = crypt(md5($_POST['passwrd']), md5($_POST['passwrd']));
  63.  
  64.             // Snitz style - SHA-256.  Technically, this is a downgrade, but most PHP configurations don't support sha256 anyway.
  65.             if (strlen($user_settings['passwd']) == 64 && function_exists('mhash') && defined('MHASH_SHA256'))
  66.                 $other_passwords[] = bin2hex(mhash(MHASH_SHA256, $_POST['passwrd']));
  67.  
  68.             // phpBB3 users new hashing.  We now support it as well ;).
  69.             $other_passwords[] = phpBB3_password_check($_POST['passwrd'], $user_settings['passwd']);
  70.  
  71.             // APBoard 2 Login Method.
  72.             $other_passwords[] = md5(crypt($_POST['passwrd'], 'CRYPT_MD5'));
  73.         }
  74.         // The hash should be 40 if it's SHA-1, so we're safe with more here too.
  75.         elseif (strlen($user_settings['passwd']) == 32)
  76.         {
  77.             // vBulletin 3 style hashing?  Let's welcome them with open arms \o/.
  78.             $other_passwords[] = md5(md5($_POST['passwrd']) . $user_settings['password_salt']);
  79.  
  80.             // Hmm.. p'raps it's Invision 2 style?
  81.             $other_passwords[] = md5(md5($user_settings['password_salt']) . md5($_POST['passwrd']));
  82.  
  83.             // Some common md5 ones.
  84.             $other_passwords[] = md5($user_settings['password_salt'] . $_POST['passwrd']);
  85.             $other_passwords[] = md5($_POST['passwrd'] . $user_settings['password_salt']);
  86.         }
  87.         elseif (strlen($user_settings['passwd']) == 40)
  88.         {
  89.             // Maybe they are using a hash from before the password fix.
  90.             $other_passwords[] = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
  91.  
  92.             // BurningBoard3 style of hashing.
  93.             $other_passwords[] = sha1($user_settings['password_salt'] . sha1($user_settings['password_salt'] . sha1($_POST['passwrd'])));
  94.  
  95.             // Perhaps we converted to UTF-8 and have a valid password being hashed differently.
  96.             if ($context['character_set'] == 'utf8' && !empty($modSettings['previousCharacterSet']) && $modSettings['previousCharacterSet'] != 'utf8')
  97.             {
  98.                 // Try iconv first, for no particular reason.
  99.                 if (function_exists('iconv'))
  100.                     $other_passwords['iconv'] = sha1(strtolower(iconv('UTF-8', $modSettings['previousCharacterSet'], $user_settings['member_name'])) . un_htmlspecialchars(iconv('UTF-8', $modSettings['previousCharacterSet'], $_POST['passwrd'])));
  101.  
  102.                 // Say it aint so, iconv failed!
  103.                 if (empty($other_passwords['iconv']) && function_exists('mb_convert_encoding'))
  104.                     $other_passwords[] = sha1(strtolower(mb_convert_encoding($user_settings['member_name'], 'UTF-8', $modSettings['previousCharacterSet'])) . un_htmlspecialchars(mb_convert_encoding($_POST['passwrd'], 'UTF-8', $modSettings['previousCharacterSet'])));
  105.             }
  106.         }
  107.  
  108.         // SMF's sha1 function can give a funny result on Linux (Not our fault!). If we've now got the real one let the old one be valid!
  109.         if (strpos(strtolower(PHP_OS), 'win') !== 0)
  110.         {
  111.             require_once($sourcedir . '/Subs-Compat.php');
  112.             $other_passwords[] = sha1_smf(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
  113.         }
  114.  
  115.         // Whichever encryption it was using, let's make it use SMF's now ;).
  116.         if (in_array($user_settings['passwd'], $other_passwords))
  117.         {
  118.             $user_settings['passwd'] = $sha_passwd;
  119.             $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
  120.  
  121.             // Update the password and set up the hash.
  122.             updateMemberData($user_settings['id_member'], array('passwd' => $user_settings['passwd'], 'password_salt' => $user_settings['password_salt'], 'passwd_flood' => ''));
  123.         }
  124.         // Okay, they for sure didn't enter the password!
  125.         else
  126.         {
  127.             // They've messed up again - keep a count to see if they need a hand.
  128.             $_SESSION['failed_login'] = @$_SESSION['failed_login'] + 1;
  129.  
  130.             // Hmm... don't remember it, do you?  Here, try the password reminder ;).
  131.             if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold'])
  132.                 redirectexit('action=reminder');
  133.             // We'll give you another chance...
  134.             else
  135.             {
  136.                 // Log an error so we know that it didn't go well in the error log.
  137.                 log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
  138.  
  139.                 $context['login_errors'] = array($txt['incorrect_password']);
  140.                 return;
  141.             }
  142.         }
  143.     }
  144.     elseif (!empty($user_settings['passwd_flood']))
  145.     {
  146.         // Let's be sure they weren't a little hacker.
  147.         validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood'], true);
  148.  
  149.         // If we got here then we can reset the flood counter.
  150.         updateMemberData($user_settings['id_member'], array('passwd_flood' => ''));
  151.     }
  152.  
  153.     // Correct password, but they've got no salt; fix it!
  154.     if ($user_settings['password_salt'] == '')
  155.     {
  156.         $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
  157.         updateMemberData($user_settings['id_member'], array('password_salt' => $user_settings['password_salt']));
  158.     }
  159.  
  160.     // Check their activation status.
  161.     if (!checkActivation())
  162.         return;
  163.  
  164.     DoLogin();
  165. }
  166.  
  167. function checkActivation()
  168. {
  169.     global $context, $txt, $scripturl, $user_settings, $modSettings;
  170.  
  171.     if (!isset($context['login_errors']))
  172.         $context['login_errors'] = array();
  173.  
  174.     // What is the true activation status of this account?
  175.     $activation_status = $user_settings['is_activated'] > 10 ? $user_settings['is_activated'] - 10 : $user_settings['is_activated'];
  176.  
  177.     // Check if the account is activated - COPPA first...
  178.     if ($activation_status == 5)
  179.     {
  180.         $context['login_errors'][] = $txt['coppa_no_concent'] . ' <a href="' . $scripturl . '?action=coppa;member=' . $user_settings['id_member'] . '">' . $txt['coppa_need_more_details'] . '</a>';
  181.         return false;
  182.     }
  183.     // Awaiting approval still?
  184.     elseif ($activation_status == 3)
  185.         fatal_lang_error('still_awaiting_approval', 'user');
  186.     // Awaiting deletion, changed their mind?
  187.     elseif ($activation_status == 4)
  188.     {
  189.         if (isset($_REQUEST['undelete']))
  190.         {
  191.             updateMemberData($user_settings['id_member'], array('is_activated' => 1));
  192.             updateSettings(array('unapprovedMembers' => ($modSettings['unapprovedMembers'] > 0 ? $modSettings['unapprovedMembers'] - 1 : 0)));
  193.         }
  194.         else
  195.         {
  196.             $context['disable_login_hashing'] = true;
  197.             $context['login_errors'][] = $txt['awaiting_delete_account'];
  198.             $context['login_show_undelete'] = true;
  199.             return false;
  200.         }
  201.     }