Log in using OD password

This forum is for programmers who have questions about the source code.
Post Reply
gargatok
Posts: 2
Joined: Fri Feb 12, 2021 12:21 pm

Log in using OD password

Post by gargatok » Fri Feb 12, 2021 12:53 pm

We have an old PHP program where staff could log in and check the schedule, and calendar. It was using it's own database of users.
I wanted to use the userod table, so the users can log in using their OD password. (I'm only interested in the now standard sha3-512 hashing).

I was digging in OD source code, trying to find out what and how it stores.

In Misc/Authentication.cs I find this:

private static string EncodePass(HashTypes hashType, string passHash, string salt) {
//No need to check RemotingRole; no call to db.
return string.Join("$",new string[] { hashType.ToString(),salt,passHash });
}

This exactly matches what is in the DB: SHA3_512$salt$hash

Now I try to generate this hash in PHP at authentication, but I need to know how:

In Authentication.cs I find this regarding generating the hash:
public static string HashPasswordSHA512(string inputPass,string salt="") {
//No need to check RemotingRole; no call to db.
if(string.IsNullOrEmpty(inputPass)) {
return "";
}
byte[] unicodeBytes=Encoding.Unicode.GetBytes(salt+inputPass);
byte[] hashBytes=ODCrypt.Sha3.Hash(unicodeBytes);
return Convert.ToBase64String(hashBytes);
}

So here, unicodebytes is UTF-16 in little endian byte order.
Then there is ODCrypt that makes the sha3 hash, and then we return a base64 encoded string.

My question is: where do I find the source for ODCrypt? I only find ODCrypt.dll, and some references to it, by digging in the files downloaded by Tortoise SVN:
C:\development\Shared Projects Subversion\ODCrypt

How can I see the source code of ODCrypt? Somehow what it generates is only 64 bytes long, this becomes 88 characters in base64, which is fine. Until now I'm unable to replicate the hashing of passwords in my PHP scripts because I don't understand what ODCrypt does.

Thanks a lot!
Gergely

User avatar
jordansparks
Site Admin
Posts: 5739
Joined: Sun Jun 17, 2007 3:59 pm
Location: Salem, Oregon
Contact:

Re: Log in using OD password

Post by jordansparks » Mon Feb 15, 2021 12:00 pm

That's one that we had to obfuscate. So that code isn't available. I just looked at the code. It seems to be based on KeccakNISTInterface.c from http://keccak.noekeon.org/
Jordan Sparks, DMD
http://www.opendental.com

gargatok
Posts: 2
Joined: Fri Feb 12, 2021 12:21 pm

Re: Log in using OD password

Post by gargatok » Tue Mar 02, 2021 6:32 am

Hi Jordan, thank you for your reply!

What I wanted to know is where conversions happen between UTF8 and UTF16-LE and back, or if the stored salt is converted back from base64 or not when generating the hash. But after some experimentation, this PHP7 code seems to generate the same hash as what OD generates.

$salt is the base64 encoded version of the salt stored in the db.
$hashType is SHA3_512

//create the hash using the password and salt
$hash = base64_encode(hash('sha3-512', mb_convert_encoding($salt . $this->getRequest()->getPost('password'), "UTF-16LE"), true));
$hash = $hashType . '$' . $salt . '$' . $hash;

Post Reply