SMF 2.1 bridge SMF 2.1 bridge
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

SMF 2.1 bridge

Started by skulls, December 19, 2014, 10:43:32 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

skulls

2.1 is now in beta release.  Sure it's early but what changes must be done to the bridge config to make it work?  2.1 is using bcrypt.   ;)

skulls

Are there plans to create an updated bridge?  It would be preferable to still be able to use Coppermine, though the upgrade has higher priority along with any bridgable gallery.

phill104

It's not something that we have looked at yet but I am sure one of the team or someone in the community (hint intended) will look into updating the current bridge.
It is a mistake to think you can solve any major problems just with potatoes.

pols1337

Lots of nice things in SMF 2.1

skulls

Quote from: Phill Luckhurst on December 24, 2014, 06:44:34 PM
It's not something that we have looked at yet but I am sure one of the team or someone in the community (hint intended) will look into updating the current bridge.

Awesome!  Thank Phill!


Quote from: pols1337 on December 25, 2014, 01:20:21 AM
Lots of nice things in SMF 2.1

Indeed!  I'm running it on a small live site.  The users love it!  I have a large forum I'd like to upgrade when the bridge is patched.   8)

Αndré

Probably stupid question, but does the bridge needs to be updated at all? Have you already tested to use the existing bridge?

skulls

Quote from: Αndré on December 26, 2014, 09:42:51 PM
Probably stupid question, but does the bridge needs to be updated at all? Have you already tested to use the existing bridge?

Sure have.  The bridge was working on 2.0.9, then no longer after the 2.1 upgrade.  This is on a small site.  I have larger sites to be upgraded soon.   ;)

lurkalot

I'm sure | tried it with 2.1 sometime back and it worked, haven't tried it with the new beta release yet though, but will as soon as I can get Xampp working again, doh.
Running SMF 2.1.4  / Tinyportal 3.0.1, bridged with Coppermine 1.6.25, plus cpmfetch 2.0.0

skulls

It hasn't been long since the bcrypt changeover.  May 28 to be precise.  If this helps anyone here is the merge:

https://github.com/SimpleMachines/SMF2.1/pull/1674


lurkalot

Quote from: skulls on December 27, 2014, 02:24:43 AM
It hasn't been long since the bcrypt changeover.  May 28 to be precise.  If this helps anyone here is the merge:

https://github.com/SimpleMachines/SMF2.1/pull/1674

aha, that explains why it no longer works then.  As of now the bridge works in as much as it will log you into SMF 2.1 from Coppermine, but doesn't log you into Coppermine
Running SMF 2.1.4  / Tinyportal 3.0.1, bridged with Coppermine 1.6.25, plus cpmfetch 2.0.0

skulls

Any takers on this?   ;D

skulls

Don't everyone jump at once.   ;D  This is the future of SMF if coppermine wishes to stay on board.  ;)

gmc

I am certainly interested in this - as I have a large site/gallery that uses the SMF/CPG bridge..
But remember we are all volunteers - and I know personally I can't jump on this right now...

Don't think we aren't interested - but SMF 2.1 is still 'Alpha' from what I see... This isn't a pressing issue for me just yet.

Greg
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

lurkalot

Quote from: gmc on January 18, 2015, 05:12:55 PM
I am certainly interested in this - as I have a large site/gallery that uses the SMF/CPG bridge..
But remember we are all volunteers - and I know personally I can't jump on this right now...

Don't think we aren't interested - but SMF 2.1 is still 'Alpha' from what I see... This isn't a pressing issue for me just yet.

Greg

I'm also going to need this, but I'm told by a reliable source,  it's not going to be a easy task by any means.
Running SMF 2.1.4  / Tinyportal 3.0.1, bridged with Coppermine 1.6.25, plus cpmfetch 2.0.0

skulls

Quote from: gmc on January 18, 2015, 05:12:55 PM

But remember we are all volunteers

but SMF 2.1 is still 'Alpha' from what I see.

Greg


Indeed.  Not to sound unappreciative, but at least there is life crackling here.    ;)


http://www.simplemachines.org/community/index.php?topic=530233.0

It's happening.   ;D


Quote from: lurkalot on January 18, 2015, 06:57:35 PM
I'm also going to need this, but I'm told by a reliable source,  it's not going to be a easy task by any means.

Then we should get started!  lol


pols1337

But if the life does stop crackling, there's always Aeva Media for Wedge or the new Levertine Gallery. 

lurkalot

Quote from: pols1337 on January 23, 2015, 02:24:57 AM
But if the life does stop crackling, there's always Aeva Media for Wedge or the new Levertine Gallery.

But that's nothing to do with Coppermine.  Actually I already use Levertine Gallery.  ;)

In fact the author of Levgal was my reliable source mentioned above.  He should know what he's talking about, as he coded most of SMF 2.1 in the first place. ;)
Running SMF 2.1.4  / Tinyportal 3.0.1, bridged with Coppermine 1.6.25, plus cpmfetch 2.0.0

keithsnell1

Quote from: lurkalot on January 18, 2015, 06:57:35 PM
I'm also going to need this, but I'm told by a reliable source,  it's not going to be a easy task by any means.

Any update on developing a bridge for SMF 2.1?  I'm in the process of updating a large website to SMF 2.0.  The site is currently bridged with Coppermine.  I don't want to continue down a path that is in imminent danger of breaking.  If Coppermine's bridge to SMF will break with SMF 2.1, then I'd rather know that now so I can spend my time implementing another solution. 

So...does anyone know if work is being done on a bridge with SMF 2.1?

Thanks,
Keith

lurkalot

Quote from: keithsnell1 on November 19, 2015, 05:44:23 PM
Any update on developing a bridge for SMF 2.1?  I'm in the process of updating a large website to SMF 2.0.  The site is currently bridged with Coppermine.  I don't want to continue down a path that is in imminent danger of breaking.  If Coppermine's bridge to SMF will break with SMF 2.1, then I'd rather know that now so I can spend my time implementing another solution. 

So...does anyone know if work is being done on a bridge with SMF 2.1?

Thanks,
Keith

Arantor who wrote most of SMF 2.1 was going to help me with this, but unfortunately (for us) he got himself new employment which is taking up most of his time.  Not sure it'll be an easy task (or possible) especially if Coppermine does the password hashing inside the SQL - that won't work in 2.1 because of the new password method which must be done PHP-side.

I also need this bridge.  We already adapted a version of Tinyportal 2 for SMF 2.1 beta 2. http://cctestsite.info/testsite3/  So when SMF 2.1 goes gold I'll want to switch asap.
Running SMF 2.1.4  / Tinyportal 3.0.1, bridged with Coppermine 1.6.25, plus cpmfetch 2.0.0

gmc

OK... let's hash this out... (pun intended...)
What SMF did appears to be this:
Use bcrypt for passwords and SHA-512 for cookies
Shift from sha256(sha1(lower(username) . password)) to password_hash(sha1(lower(username) . password), PASSWORD_BCRYPT) which is a PHP 5.5 implementation of a costly bcrypt based algorithm (added a back porting library as well which makes it compatible till minimum of PHP 5.3.7). This is much slower and more secure than a simple one pass sha256.

Also, the cookies are shifted from sha256(password . salt) to sha512(password . salt) to give them that extra spice of security.

Reference from: https://github.com/Dragooon/SMF2.1/commit/6c5c3b11bab0037d0e1a846912cc0b51c0772b1f

Please correct me if I'm wrong - but I don't think we really care about the password logic change - as we route any login/logout requests directly to SMF... The bridge code in smf20.inc.php does contain a password algorithm specified for 'name of the password field' - but not clear where we would ever use it...
The function "udb_hash_db($password)" is marked 'unused'...
I wouldn't expect the login function from udb_base.inc.php to even be used.

So is the issue the change from sha256 to sha512 for the cookies?
There is a session_extraction() function - but this doesn't even reference sha256 today...
I'd need to dig deeper here - unless someone can point me in right direction.

If I can better understand the issue - certainly willing to help..
(I don't have a 2.1 forum to play with yet - but I can fix that shortly...)

Greg
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money