How do I encrypt a string to be compatible with a drupal V 7 password

Question

0.00/5 (No votes)

See more:

Hi, hopefully someone can help.

I have to update a user's details in a MySQL Drupal environment from a VB.NET application/ASP.

So the user changes their password using classic ASP, this calls a .COM compliant DLL Class written in VB.NET

The instructions I have found are:

Here is an example hash from Drupal 7:

"pass" : "$S$Dxl65W9p07LfQU7jvy5CnsyDpMoLujiAgzy123khcg1OJi/P9pKS"

The characters 0-2 are the type ( $S$ is Drupal 7 )

The character 3 is the number of log2 rounds (X) based on the position of the char in this list: './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' So in our example 'D' would map to 15
The characters 4-11 are the SALT
The rest is a SHA512 hash using 2^X rounds.
The binary result is then converted to a string using base64.

$count = 1 << $count_log2;
$hash = hash($algo, $salt . $password, TRUE);
do { $hash = hash($algo, $hash . $password, TRUE);
} while (--$count);

Not being a cryptographer of any sort, I found to encrypt a string into SHA512 using VB.NET I can use this code:

Private Function EncryptSHA512Managed(ByVal ClearString As String) As String
      Dim uEncode As New UnicodeEncoding()
      Dim bytClearString() As Byte = uEncode.GetBytes(ClearString)
      Dim sha As New System.Security.Cryptography.SHA512Managed()
      Dim hash() As Byte = sha.ComputeHash(bytClearString)
      Dim Z as Integer = 0

       For Z = 1 To HowManyTimes - 1
          hash2 = sha.ComputeHash(hash)
          hash = hash2
      Next

      Return Convert.ToBase64String(hash2)
  End Function

So from what I understand about the PHP explanation (and I have never used PHP) I would do something like this:

  Private Function EncryptionStringForDrupal() As String
        Dim EncStr As String = "apassword"
      
' Going to use TestSale as my salt test.

        Return "$S$DTestSalt" & EncryptSHA512Managed("TestSalt" & EncStr)

    End Function

With The "D" in the example PHP text, thats 15^2 and it comes out as 32,768 encryption loops and the resulting drupal encrypted password comes out as

$S$DTestSaltTjmIXDexvVOnQDA4ojamH2PFxVrfIKJLJBKNtclZaxs/LHiF8Wxx2kMb03qeo+FUK7prxEiKfToY50ZG0SQ3QA==

But its still wrong -

What I have tried:

Banging head against wall, but it did not solve it.

Posted 30-Jan-19 5:33am

Member 12561559

Updated 30-Jan-19 22:31pm

v2

Add a Solution

Comments

Patrice T 30-Jan-19 11:42am

15^2 means 15*15, so it is not 32768, but 225.

Richard Deeming 30-Jan-19 13:27pm

Based on the rest of the description, that's a typo in the question - the OP meant 2^15, not 15^2. :)

Member 12561559 31-Jan-19 1:43am

Thanks and yes, I got the values around the wrong way thanks Patrice! So if its 2^15 then it is 32768 times? Thats what the ^ calc says?

Richard Deeming 30-Jan-19 13:31pm

NB: If "D" maps to 15, then "." maps to 0, not 1. :)

2^0 = 1, so with ".", you would only hash the value once, which wouldn't be particularly secure.

You've also forgotten to add the salt to the final string.

Member 12561559 31-Jan-19 1:42am

Have updated my question to include changes proposed, but still not luck :(

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)