password_converter_mod.txt

##
##
##        Mod title:  Password converter
##
##      Mod version:  1.1
##  Works on FluxBB:  1.4.7, 1.4.6, 1.4.5, 1.4.4, 1.4.3, 1.4.2, 1.4.1, 1.4, 1.4-rc3
##     Release date:  2010-07-21
##           Author:  Daris (daris91+fluxbb@gmail.com)
##
##      Description:  Converts user password to FluxBB style on first login after database conversion.
##
##   Affected files:  login.php
##
##       Affects DB:  No
##
##       DISCLAIMER:  Please note that "mods" are not officially supported by
##                    FluxBB. Installation of this modification is done at
##                    your own risk. Backup your forum database and any and
##                    all applicable files before proceeding.
##
##       Changelog:   1.1 - Added support for later SMF 2 password hashing (@olimortimer)
##

#
#-------------[ 2. OPEN ]----------------
#

login.php

#
#-------------[ 3. FIND ]----
#

		if (!empty($cur_user['salt']))
		{
			if (sha1($cur_user['salt'].sha1($form_password)) == $cur_user['password']) // 1.3 used sha1(salt.sha1(pass))
			{
				$authorized = true;

				$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\', salt=NULL WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
			}
		}

#
#-------------[ 4. REPLACE WITH ]----------------
#

		if (!empty($cur_user['salt']))
		{
			if (md5(md5($form_password).$cur_user['salt']) == $cur_user['password'] || // vBulletin password
				strlen($cur_user['salt']) == 4 && sha1(md5($cur_user['salt']).md5($form_password)) == $cur_user['password'] || // SMF 2 password
				strlen($cur_user['salt']) == 4 && sha1(strtolower($form_username).$form_password) == $cur_user['password'] || // Later SMF 2 password
				strlen($cur_user['salt']) == 8 && md5(md5($cur_user['salt']).md5($form_password)) == $cur_user['password'] || // MyBB password
				strlen($cur_user['password']) == 32 && md5(md5($cur_user['salt']).md5($form_password)) == $cur_user['password'] || // IPB password
				sha1($cur_user['salt'].sha1($form_password)) == $cur_user['password']) // 1.3 used sha1(salt.sha1(pass))
			{
				$authorized = true;

				$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\', salt=NULL WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
			}
		}
		elseif (!isset($cur_user['salt']) || empty($cur_user['salt']) && phpBB3_password_check($form_password, $cur_user['password']))
		{
			$authorized = true;

			$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
		}

#
#-------------[ 4. ADD AT END OF FILE ]----------------
#

// Special encryption used by phpBB3.
function phpBB3_password_check($password, $hash)
{
	if (strlen($hash) != 34) return false;

	$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

	function hash_and_encode($input, $count, &$itoa64)
	{
		$output = '';
		$i = 0;

		do {
			$value = ord($input[$i++]);
			$output .= $itoa64[$value & 0x3f];

			if ($i < $count) $value |= ord($input[$i]) << 8;
			$output .= $itoa64[($value >> 6) & 0x3f];
			if ($i++ >= $count) break;
			if ($i < $count) $value |= ord($input[$i]) << 16;
			$output .= $itoa64[($value >> 12) & 0x3f];
			if ($i++ >= $count) break;
			$output .= $itoa64[($value >> 18) & 0x3f];
		}
		while ($i < $count);

		return $output;
	}

	function hash_and_crypt($password, $setting, &$itoa64)
	{
		$output = '*';
		// Check for correct hash
		if (substr($setting, 0, 3) != '$H$') return $output;
		$count_log2 = strpos($itoa64, $setting[3]);
		if ($count_log2 < 7 || $count_log2 > 30) return $output;

		$count = 1 << $count_log2;
		$salt = substr($setting, 4, 8);

		if (strlen($salt) != 8) return $output;

		$hash = pack('H*', md5($salt . $password));
		do {
		  $hash = pack('H*', md5($hash . $password));
		}
		while (--$count);

		$output = substr($setting, 0, 12);
		$output .= hash_and_encode($hash, 16, $itoa64);
		return $output;
	}

	return (hash_and_crypt($password, $hash, $itoa64) === $hash) ? true : false;
}