How does VB5.1.0 beta validate users with blowfish?

Older Versions
$vb_hash = md5($password . $user[salt]);
if ($vb_hash==$pass)
{
// check subscription etc.
}


Is it something like

crypt("$valid_username . $valid_password", $token) == $secret ?


Thanks

Fair warning: I am pretty green when it comes to vBulletin; also, I'm not a PHP hacker ? so apologies for using the wrong language below. Hopefully somebody else will be able to translate this into sensible PHP.

I needed to do the same thing (for account integration with another application) so I had a rummage through the code and this is what I've come up with:


Is it something like

crypt("$valid_username . $valid_password", $token) == $secret ?

user table field scheme indicates which hashing algorithm to use. You must check this before checking the token field (which contains the actual hash according to the indicated algorithm).

scheme == 'legacy' indicates the old style of password hash (which you outlined), and you will find the necessary salt in secret.

scheme == 'blowfish:10' indicates a 10-round blowfish cipher. The Python code to handle both schemes (using passlib) is:

import hashlib
import passlib.hash
# ...
def check_pw( pw, scheme, pw_hash, salt ):
pw = hashlib.md5( pw ).hexdigest()
if scheme.startswith( 'blowfish' ):
return passlib.hash.bcrypt.verify( pw, pw_hash )
elif scheme == 'legacy':
return hashlib.md5( pw + salt ).hexdigest() == pw_hash


AIUI, the same can be accomplished with bcrypt directly by replacing the passlib line with:

return bcrypt.hashpw( pw, pw_hash ) == pw_hash


Note that for both blowfish and legacy schemes, the raw password should be MD5summed first.

(This puzzles me, because it seems that it restricts the possible input character set and length to [0-9a-f]{32}, but I'm also no crypto expert :erm:)