Expected string representation of 411 byte array when logging in

[danielcrenna]

I'm using Thrift that I've built using the latest netcore bits to generate a client. The methods accessing actordb seem to work, as in, I can login with the usual login(username,password method just fine.

However, I'm trying to implement login using the salted 411 password and failing miserably. I've taken the algorithm for 411 scrambling directly from MySqlConnector for .NET as a starting point. Once I have the final hash byte array, every thing I've attempted to return it to a string that will be recognized by the thrift client has failed. I only see a single login method in Thrift so I assume I can pass the stringified byte array into that.

I've tried byte[]->base64string, byte[]->hexstring with and without leading 0x, and raw UTF8 conversion. I am missing the encoding or something similar that ActorDB's Thrift interface is expecting the hash's string representation to be.

public async Task<bool> LoginSecureAsync(string username, string password)
{
    byte[] seed = await _thrift.saltAsync(_cancel.Token);
    byte[] hash = Get411Password(password, seed);
    string pass = ?? // Convert.ToBase64String(hash);  //Encoding.UTF8.GetString(hash); // $"0x{hash.Hex()}";
    var result = await _thrift.loginAsync(username, pass, _cancel.Token);
    return result.Success;
}

public static byte[] Get411Password(string password, byte[] seed)
{
    if (password.Length == 0) return new byte[1];
    SHA1 sha = new SHA1CryptoServiceProvider();
    byte[] firstHash = sha.ComputeHash(Encoding.Default.GetBytes(password));
    byte[] secondHash = sha.ComputeHash(firstHash);
			
    byte[] input = new byte[seed.Length + secondHash.Length];
    Array.Copy(seed, 0, input, 0, seed.Length);
    Array.Copy(secondHash, 0, input, seed.Length, secondHash.Length);
    byte[] thirdHash = sha.ComputeHash(input);

    byte[] finalHash = new byte[thirdHash.Length + 1];
    finalHash[0] = 0x14;
    Array.Copy(thirdHash, 0, finalHash, 1, thirdHash.Length);

    for (int i = 1; i < finalHash.Length; i++)
        finalHash[i] = (byte)(finalHash[i] ^ firstHash[i - 1]);
        return finalHash;
    }
}

[SergejJurecko]

Agh this is a shortcoming on our side as we did not consider other languages enough. It actually expects password to be a direct binary not utf8, base64 or hex. This of course means its impossible to use from lots of languages that take their types more seriously.

[danielcrenna]

Excellent, I just changed the adbt.thrift file's login line to:

LoginResult login(1: required string username, 2: required binary password) throws (1:InvalidRequestException ire), 

And I'm back in business. This might not be a general fix for everyone but I don't see the harm for static languages. I'll just have to watch for changes to the official Thrift interface.

Thanks!