0

I want to use Postfix+Dovecot as email solution. We already have a website with Woltlab Burning Board running. Some of these users (support staff, moderators, devs) will get an email address.

The most comfortable way (as administrator) is to use the login credentials from the burning board. The problem is, that I failed to check the password. Burning Board is using double salted bcrypt hashes and I have no idea to build a mysql statement which is able to check the password against the hash.

You can see the password check here: https://github.com/WoltLab/WCF/blob/master/wcfsetup/install/files/lib/util/PasswordUtil.class.php ("test123" reults: "$2a$08$15yH0BYHr2XVzdT64dmSQO1yBHOUU.HkB72J1eGQcKRu8FDC5RXMG")

Is there any way to check the double salted password hashes directly in mysql? If not can I use a php script to check the user credentials (I have heard SALS support this)?

Thanks for your help!

Nazmul
  • 575
  • 3
  • 18
Sylvanas Garde
  • 27
  • 4

1 Answers1

0

I was able to write a plain PHP script to validate the password using the WCF provided utilities:

namespace wcf\util;
require("PasswordUtil.class.php");

$password = "test123";
$dbHash= "$2a$08$7EMZdBTk1SwHyCQApSGLL.8/rL.zEHpOAJgR3ogfBKW0epSWtXnLS";

$dsHash = PasswordUtil::getDoubleSaltedHash($password, $dbHash);

if (PasswordUtil::secureCompare($dbHash, $dsHash)) {
    echo "Password is valid.\n";
} else {
    echo "Password is invalid.\n";
}

I don't believe MySQL gives you a convenient route to a bcrypt function. It does look like the WCF might be able to be forced to give you a different password hash (although this may take source changes). In that case, you may be able to use MySQL's SHA or AES crypt functions to do what you want.

Allen Luce
  • 7,859
  • 3
  • 40
  • 53