michael.heier/jellyfin
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

sha256 with salt auth and sha1 interop

Browse Source
This commit is contained in:
Phallacy 2019-02-12 02:16:03 -08:00
parent 8bf88f4cb2
commit 05bbf71b6d
5 changed files with 1389 additions and 1264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Emby.Server.Implementations/Cryptography/CryptographyProvider.cs
View File

@ -10,7 +10,7 @@ namespace Emby.Server.Implementations.Cryptography
public class CryptographyProvider : ICryptoProvider
{
private List<string> SupportedHashMethods = new List<string>();
private string DefaultHashMethod = "SHA256";
public string DefaultHashMethod => "SHA256";
private RandomNumberGenerator rng;
private int defaultiterations = 1000;
public CryptographyProvider()

169
Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
View File

@ -1,4 +1,5 @@
using System;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using MediaBrowser.Controller.Authentication;
@ -19,31 +20,110 @@ namespace Emby.Server.Implementations.Library
public bool IsEnabled => true;
//This is dumb and an artifact of the backwards way auth providers were designed.
//This version of authenticate was never meant to be called, but needs to be here for interface compat
//Only the providers that don't provide local user support use this
public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
{
throw new NotImplementedException();
}
public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
{
if (resolvedUser == null)
{
throw new Exception("Invalid username or password");
}
var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
if (!success)
{
throw new Exception("Invalid username or password");
}
return Task.FromResult(new ProviderAuthenticationResult
{
Username = username
});
//This is the verson that we need to use for local users. Because reasons.
public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
{
ConvertPasswordFormat(resolvedUser);
byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
bool success = false;
if (resolvedUser == null)
{
success = false;
throw new Exception("Invalid username or password");
}
if (!resolvedUser.Password.Contains("$"))
{
ConvertPasswordFormat(resolvedUser);
}
PasswordHash ReadyHash = new PasswordHash(resolvedUser.Password);
byte[] CalculatedHash;
string CalculatedHashString;
if (_cryptographyProvider.GetSupportedHashMethods().Any(i => i == ReadyHash.Id))
{
if (String.IsNullOrEmpty(ReadyHash.Salt))
{
CalculatedHash = _cryptographyProvider.ComputeHash(ReadyHash.Id, passwordbytes);
CalculatedHashString = BitConverter.ToString(CalculatedHash).Replace("-", string.Empty);
}
else
{
CalculatedHash = _cryptographyProvider.ComputeHash(ReadyHash.Id, passwordbytes, ReadyHash.SaltBytes);
CalculatedHashString = BitConverter.ToString(CalculatedHash).Replace("-", string.Empty);
}
if (CalculatedHashString == ReadyHash.Hash)
{
success = true;
//throw new Exception("Invalid username or password");
}
}
else
{
success = false;
throw new Exception(String.Format("Requested crypto method not available in provider: {0}", ReadyHash.Id));
}
//var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
if (!success)
{
throw new Exception("Invalid username or password");
}
return Task.FromResult(new ProviderAuthenticationResult
{
Username = username
});
}
//This allows us to move passwords forward to the newformat without breaking. They are still insecure, unsalted, and dumb before a password change
//but at least they are in the new format.
private void ConvertPasswordFormat(User user)
{
if (!string.IsNullOrEmpty(user.Password))
{
if (!user.Password.Contains("$"))
{
string hash = user.Password;
user.Password = String.Format("$SHA1${0}", hash);
}
if (user.EasyPassword != null && !user.EasyPassword.Contains("$"))
{
string hash = user.EasyPassword;
user.EasyPassword = String.Format("$SHA1${0}", hash);
}
}
}
// OLD VERSION //public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
// OLD VERSION //{
// OLD VERSION // if (resolvedUser == null)
// OLD VERSION // {
// OLD VERSION // throw new Exception("Invalid username or password");
// OLD VERSION // }
// OLD VERSION //
// OLD VERSION // var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
// OLD VERSION //
// OLD VERSION // if (!success)
// OLD VERSION // {
// OLD VERSION // throw new Exception("Invalid username or password");
// OLD VERSION // }
// OLD VERSION //
// OLD VERSION // return Task.FromResult(new ProviderAuthenticationResult
// OLD VERSION // {
// OLD VERSION // Username = username
// OLD VERSION // });
// OLD VERSION //}
public Task<bool> HasPassword(User user)
{
var hasConfiguredPassword = !IsPasswordEmpty(user, GetPasswordHash(user));
@ -57,19 +137,26 @@ namespace Emby.Server.Implementations.Library
public Task ChangePassword(User user, string newPassword)
{
string newPasswordHash = null;
if (newPassword != null)
//string newPasswordHash = null;
ConvertPasswordFormat(user);
PasswordHash passwordHash = new PasswordHash(user.Password);
if(passwordHash.Id == "SHA1" && string.IsNullOrEmpty(passwordHash.Salt))
{
newPasswordHash = GetHashedString(user, newPassword);
passwordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
passwordHash.Salt = BitConverter.ToString(passwordHash.SaltBytes).Replace("-","");
passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
passwordHash.Hash = GetHashedStringChangeAuth(newPassword, passwordHash);
}else if (newPassword != null)
{
passwordHash.Hash = GetHashedString(user, newPassword);
}
if (string.IsNullOrWhiteSpace(newPasswordHash))
if (string.IsNullOrWhiteSpace(passwordHash.Hash))
{
throw new ArgumentNullException(nameof(newPasswordHash));
throw new ArgumentNullException(nameof(passwordHash.Hash));
}
user.Password = newPasswordHash;
user.Password = passwordHash.ToString();
return Task.CompletedTask;
}
@ -86,19 +173,39 @@ namespace Emby.Server.Implementations.Library
return GetHashedString(user, string.Empty);
}
public string GetHashedStringChangeAuth(string NewPassword, PasswordHash passwordHash)
{
return BitConverter.ToString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(NewPassword), passwordHash.SaltBytes)).Replace("-", string.Empty);
}
/// <summary>
/// Gets the hashed string.
/// </summary>
public string GetHashedString(User user, string str)
{
var salt = user.Salt;
if (salt != null)
public string GetHashedString(User user, string str)
{
//This is legacy. Deprecated in the auth method.
//return BitConverter.ToString(_cryptoProvider2.ComputeSHA1(Encoding.UTF8.GetBytes(str))).Replace("-", string.Empty);
PasswordHash passwordHash;
if (String.IsNullOrEmpty(user.Password))
{
passwordHash = new PasswordHash(_cryptographyProvider);
}
else
{
// return BCrypt.HashPassword(str, salt);
ConvertPasswordFormat(user);
passwordHash = new PasswordHash(user.Password);
}
if (passwordHash.SaltBytes != null)
{
return BitConverter.ToString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str), passwordHash.SaltBytes)).Replace("-",string.Empty);
}
else
{
return BitConverter.ToString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str))).Replace("-", string.Empty);
//throw new Exception("User does not have a hash, this should not be possible");
}
// legacy
return BitConverter.ToString(_cryptographyProvider.ComputeSHA1(Encoding.UTF8.GetBytes(str))).Replace("-", string.Empty);
}
}
}

2416
Emby.Server.Implementations/Library/UserManager.cs
View File

File diff suppressed because it is too large Load Diff

29
MediaBrowser.Model/Cryptography/ICryptoProvider.cs
View File

@ -1,15 +1,15 @@
using System;
using System.IO;
using System.Collections.Generic;
namespace MediaBrowser.Model.Cryptography
{
public interface ICryptoProvider
{
Guid GetMD5(string str);
byte[] ComputeMD5(Stream str);
byte[] ComputeMD5(byte[] bytes);
byte[] ComputeSHA1(byte[] bytes);
using System;
using System.IO;
using System.Collections.Generic;
namespace MediaBrowser.Model.Cryptography
{
public interface ICryptoProvider
{
Guid GetMD5(string str);
byte[] ComputeMD5(Stream str);
byte[] ComputeMD5(byte[] bytes);
byte[] ComputeSHA1(byte[] bytes);
IEnumerable<string> GetSupportedHashMethods();
byte[] ComputeHash(string HashMethod, byte[] bytes);
byte[] ComputeHashWithDefaultMethod(byte[] bytes);
@ -17,5 +17,6 @@ namespace MediaBrowser.Model.Cryptography
byte[] ComputeHashWithDefaultMethod(byte[] bytes, byte[] salt);
byte[] ComputeHash(PasswordHash hash);
byte[] GenerateSalt();
}
}
string DefaultHashMethod { get; }
}
}

37
MediaBrowser.Model/Cryptography/PasswordHash.cs
View File

@ -33,15 +33,15 @@ namespace MediaBrowser.Model.Cryptography
if (a.Length == 4)
{
Salt = a[2];
SaltBytes = Convert.FromBase64CharArray(Salt.ToCharArray(), 0, Salt.Length);
SaltBytes = FromByteString(Salt);
Hash = a[3];
HashBytes = Convert.FromBase64CharArray(Hash.ToCharArray(), 0, Hash.Length);
HashBytes = FromByteString(Hash);
}
else
{
Salt = string.Empty;
Hash = a[3];
HashBytes = Convert.FromBase64CharArray(Hash.ToCharArray(), 0, Hash.Length);
HashBytes = FromByteString(Hash);
}
}
else
@ -49,15 +49,15 @@ namespace MediaBrowser.Model.Cryptography
if (a.Length == 4)
{
Salt = a[2];
SaltBytes = Convert.FromBase64CharArray(Salt.ToCharArray(), 0, Salt.Length);
SaltBytes = FromByteString(Salt);
Hash = a[3];
HashBytes = Convert.FromBase64CharArray(Hash.ToCharArray(), 0, Hash.Length);
HashBytes = FromByteString(Hash);
}
else
{
Salt = string.Empty;
Hash = a[2];
HashBytes = Convert.FromBase64CharArray(Hash.ToCharArray(), 0, Hash.Length);
HashBytes = FromByteString(Hash);
}
}
@ -68,7 +68,17 @@ namespace MediaBrowser.Model.Cryptography
{
Id = "SHA256";
SaltBytes = cryptoProvider2.GenerateSalt();
Salt = Convert.ToBase64String(SaltBytes);
Salt = BitConverter.ToString(SaltBytes).Replace("-", "");
}
private byte[] FromByteString(string ByteString)
{
List<byte> Bytes = new List<byte>();
for (int i = 0; i < ByteString.Length; i += 2)
{
Bytes.Add(Convert.ToByte(ByteString.Substring(i, 2),16));
}
return Bytes.ToArray();
}
private string SerializeParameters()
{
@ -77,7 +87,7 @@ namespace MediaBrowser.Model.Cryptography
{
ReturnString += String.Format(",{0}={1}", KVP.Key, KVP.Value);
}
if (ReturnString[0] == ',')
if ((!string.IsNullOrEmpty(ReturnString)) && ReturnString[0] == ',')
{
ReturnString = ReturnString.Remove(0, 1);
}
@ -85,8 +95,15 @@ namespace MediaBrowser.Model.Cryptography
}
public override string ToString()
{
return String.Format("${0}${1}${2}${3}", Id, SerializeParameters(), Salt, Hash);
{
string OutString = "$";
OutString += Id;
if (!string.IsNullOrEmpty(SerializeParameters()))
OutString += $"${SerializeParameters()}";
if (!string.IsNullOrEmpty(Salt))
OutString += $"${Salt}";
OutString += $"${Hash}";
return OutString;
}
}