Custom hash function

Help
Anonymous
2009-11-18
2013-04-23

  • Anonymous
    2009-11-18

    Hi There,

    I'm trying to integrate basic auth with a vBuletin site.  The goal is limit my test site to beta-testers only; all of which would appear in a particular vB user group from the main site's database.

    The problem is that vBulletin uses the following password has function in PHP:

    $hash = md5 ( md5 ($password) + $salt )

    The problem here is that two md5's are being done and the salt is dynamic (exists in the user.salt table);

    My idea would be to give Auth_MySQL_Encryption_Types the name of a stored procedure (or just StoredProcedure and then have another param that takes the procedure name).  This stored proc then takes the username and password (both properly escaped, of course) as it's inputs and returns the hash for comparison to the DB.

    From what I've read of the docs, this isn't currently possible, nor is there anything that really does what I'm trying to achieve (but perhaps I'm missing some kind of trick).

    Note: I'm trying to drive all of my auth from the main site's user DB rather than embed additional HTTP auth into the vB source files/templates on the test sites that I've got (as I routinely overwrite those based on the backups of the main site).

    Anyone have any suggestions or is this more of an enhancement request?

     
  • Imran Chaudhry
    Imran Chaudhry
    2009-11-18

    If you don't have to maintain backwards compatibility with a bunch of hashed passwords then why not just change the PHP function that VB uses?

    $hash = md5($password);

    I'm using libapache2-mod-auth-mysql package on Debian Lenny which also has:

    Auth_MySQL_Encryption_Types PHP_MD5

    which will work with that.