Backupppert/jellyfin
0
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2024-07-05 21:33:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

sha256 with salt auth and sha1 interop

Browse source
This commit is contained in:
Phallacy 2019-02-12 02:16:03 -08:00
parent 8bf88f4cb2
commit 05bbf71b6d
5 changed files with 1389 additions and 1264 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Emby.Server.Implementations/Cryptography/CryptographyProvider.cs
View file

@ -10,7 +10,7 @@ namespace Emby.Server.Implementations.Cryptography
public class CryptographyProvider : ICryptoProvider public class CryptographyProvider : ICryptoProvider
{ {
private List<string> SupportedHashMethods = new List<string>(); private List<string> SupportedHashMethods = new List<string>();
private string DefaultHashMethod = "SHA256"; public string DefaultHashMethod => "SHA256";
private RandomNumberGenerator rng; private RandomNumberGenerator rng;
private int defaultiterations = 1000; private int defaultiterations = 1000;
public CryptographyProvider() public CryptographyProvider()

133
Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
View file

@ -1,4 +1,5 @@
using System; using System;
using System.Linq;
using System.Text; using System.Text;
using System.Threading.Tasks; using System.Threading.Tasks;
using MediaBrowser.Controller.Authentication; using MediaBrowser.Controller.Authentication;
@ -19,19 +20,59 @@ namespace Emby.Server.Implementations.Library
public bool IsEnabled => true; public bool IsEnabled => true;
//This is dumb and an artifact of the backwards way auth providers were designed.
//This version of authenticate was never meant to be called, but needs to be here for interface compat
//Only the providers that don't provide local user support use this
public Task<ProviderAuthenticationResult> Authenticate(string username, string password) public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
{ {
throw new NotImplementedException(); throw new NotImplementedException();
} }
//This is the verson that we need to use for local users. Because reasons.
public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser) public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
{ {
ConvertPasswordFormat(resolvedUser);
byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
bool success = false;
if (resolvedUser == null) if (resolvedUser == null)
{ {
success = false;
throw new Exception("Invalid username or password"); throw new Exception("Invalid username or password");
} }
if (!resolvedUser.Password.Contains("$"))
{
ConvertPasswordFormat(resolvedUser);
}
PasswordHash ReadyHash = new PasswordHash(resolvedUser.Password);
byte[] CalculatedHash;
string CalculatedHashString;
if (_cryptographyProvider.GetSupportedHashMethods().Any(i => i == ReadyHash.Id))
{
if (String.IsNullOrEmpty(ReadyHash.Salt))
{
CalculatedHash = _cryptographyProvider.ComputeHash(ReadyHash.Id, passwordbytes);
CalculatedHashString = BitConverter.ToString(CalculatedHash).Replace("-", string.Empty);
}
else
{
CalculatedHash = _cryptographyProvider.ComputeHash(ReadyHash.Id, passwordbytes, ReadyHash.SaltBytes);
CalculatedHashString = BitConverter.ToString(CalculatedHash).Replace("-", string.Empty);
}
if (CalculatedHashString == ReadyHash.Hash)
{
success = true;
//throw new Exception("Invalid username or password");
}
}
else
{
success = false;
throw new Exception(String.Format("Requested crypto method not available in provider: {0}", ReadyHash.Id));
}
var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase); //var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
if (!success) if (!success)
{ {
@ -44,6 +85,45 @@ namespace Emby.Server.Implementations.Library
}); });
} }
//This allows us to move passwords forward to the newformat without breaking. They are still insecure, unsalted, and dumb before a password change
//but at least they are in the new format.
private void ConvertPasswordFormat(User user)
{
if (!string.IsNullOrEmpty(user.Password))
{
if (!user.Password.Contains("$"))
{
string hash = user.Password;
user.Password = String.Format("$SHA1${0}", hash);
}
if (user.EasyPassword != null && !user.EasyPassword.Contains("$"))
{
string hash = user.EasyPassword;
user.EasyPassword = String.Format("$SHA1${0}", hash);
}
}
}
// OLD VERSION //public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
// OLD VERSION //{
// OLD VERSION // if (resolvedUser == null)
// OLD VERSION // {
// OLD VERSION // throw new Exception("Invalid username or password");
// OLD VERSION // }
// OLD VERSION //
// OLD VERSION // var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
// OLD VERSION //
// OLD VERSION // if (!success)
// OLD VERSION // {
// OLD VERSION // throw new Exception("Invalid username or password");
// OLD VERSION // }
// OLD VERSION //
// OLD VERSION // return Task.FromResult(new ProviderAuthenticationResult
// OLD VERSION // {
// OLD VERSION // Username = username
// OLD VERSION // });
// OLD VERSION //}
public Task<bool> HasPassword(User user) public Task<bool> HasPassword(User user)
{ {
var hasConfiguredPassword = !IsPasswordEmpty(user, GetPasswordHash(user)); var hasConfiguredPassword = !IsPasswordEmpty(user, GetPasswordHash(user));
@ -57,19 +137,26 @@ namespace Emby.Server.Implementations.Library
public Task ChangePassword(User user, string newPassword) public Task ChangePassword(User user, string newPassword)
{ {
string newPasswordHash = null; //string newPasswordHash = null;
ConvertPasswordFormat(user);
if (newPassword != null) PasswordHash passwordHash = new PasswordHash(user.Password);
if(passwordHash.Id == "SHA1" && string.IsNullOrEmpty(passwordHash.Salt))
{ {
newPasswordHash = GetHashedString(user, newPassword); passwordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
passwordHash.Salt = BitConverter.ToString(passwordHash.SaltBytes).Replace("-","");
passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
passwordHash.Hash = GetHashedStringChangeAuth(newPassword, passwordHash);
}else if (newPassword != null)
{
passwordHash.Hash = GetHashedString(user, newPassword);
} }
if (string.IsNullOrWhiteSpace(newPasswordHash)) if (string.IsNullOrWhiteSpace(passwordHash.Hash))
{ {
throw new ArgumentNullException(nameof(newPasswordHash)); throw new ArgumentNullException(nameof(passwordHash.Hash));
} }
user.Password = newPasswordHash; user.Password = passwordHash.ToString();
return Task.CompletedTask; return Task.CompletedTask;
} }
@ -86,19 +173,39 @@ namespace Emby.Server.Implementations.Library
return GetHashedString(user, string.Empty); return GetHashedString(user, string.Empty);
} }
public string GetHashedStringChangeAuth(string NewPassword, PasswordHash passwordHash)
{
return BitConverter.ToString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(NewPassword), passwordHash.SaltBytes)).Replace("-", string.Empty);
}
/// <summary> /// <summary>
/// Gets the hashed string. /// Gets the hashed string.
/// </summary> /// </summary>
public string GetHashedString(User user, string str) public string GetHashedString(User user, string str)
{ {
var salt = user.Salt; //This is legacy. Deprecated in the auth method.
if (salt != null) //return BitConverter.ToString(_cryptoProvider2.ComputeSHA1(Encoding.UTF8.GetBytes(str))).Replace("-", string.Empty);
PasswordHash passwordHash;
if (String.IsNullOrEmpty(user.Password))
{ {
// return BCrypt.HashPassword(str, salt); passwordHash = new PasswordHash(_cryptographyProvider);
}
else
{
ConvertPasswordFormat(user);
passwordHash = new PasswordHash(user.Password);
}
if (passwordHash.SaltBytes != null)
{
return BitConverter.ToString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str), passwordHash.SaltBytes)).Replace("-",string.Empty);
}
else
{
return BitConverter.ToString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str))).Replace("-", string.Empty);
//throw new Exception("User does not have a hash, this should not be possible");
} }
// legacy
return BitConverter.ToString(_cryptographyProvider.ComputeSHA1(Encoding.UTF8.GetBytes(str))).Replace("-", string.Empty);
} }
} }
} }

2
Emby.Server.Implementations/Library/UserManager.cs
View file

@ -690,7 +690,7 @@ namespace Emby.Server.Implementations.Library
if (!IsValidUsername(name)) if (!IsValidUsername(name))
{ {
throw new ArgumentException("Usernames can contain letters (a-z), numbers (0-9), dashes (-), underscores (_), apostrophes ('), and periods (.)"); throw new ArgumentException("Usernames can contain unicode symbols, numbers (0-9), dashes (-), underscores (_), apostrophes ('), and periods (.)");
} }
if (Users.Any(u => u.Name.Equals(name, StringComparison.OrdinalIgnoreCase))) if (Users.Any(u => u.Name.Equals(name, StringComparison.OrdinalIgnoreCase)))

1
MediaBrowser.Model/Cryptography/ICryptoProvider.cs
View file

@ -17,5 +17,6 @@ namespace MediaBrowser.Model.Cryptography
byte[] ComputeHashWithDefaultMethod(byte[] bytes, byte[] salt); byte[] ComputeHashWithDefaultMethod(byte[] bytes, byte[] salt);
byte[] ComputeHash(PasswordHash hash); byte[] ComputeHash(PasswordHash hash);
byte[] GenerateSalt(); byte[] GenerateSalt();
string DefaultHashMethod { get; }
} }
} }

35
MediaBrowser.Model/Cryptography/PasswordHash.cs
View file

@ -33,15 +33,15 @@ namespace MediaBrowser.Model.Cryptography
if (a.Length == 4) if (a.Length == 4)
{ {
Salt = a[2]; Salt = a[2];
SaltBytes = Convert.FromBase64CharArray(Salt.ToCharArray(), 0, Salt.Length); SaltBytes = FromByteString(Salt);
Hash = a[3]; Hash = a[3];
HashBytes = Convert.FromBase64CharArray(Hash.ToCharArray(), 0, Hash.Length); HashBytes = FromByteString(Hash);
} }
else else
{ {
Salt = string.Empty; Salt = string.Empty;
Hash = a[3]; Hash = a[3];
HashBytes = Convert.FromBase64CharArray(Hash.ToCharArray(), 0, Hash.Length); HashBytes = FromByteString(Hash);
} }
} }
else else
@ -49,15 +49,15 @@ namespace MediaBrowser.Model.Cryptography
if (a.Length == 4) if (a.Length == 4)
{ {
Salt = a[2]; Salt = a[2];
SaltBytes = Convert.FromBase64CharArray(Salt.ToCharArray(), 0, Salt.Length); SaltBytes = FromByteString(Salt);
Hash = a[3]; Hash = a[3];
HashBytes = Convert.FromBase64CharArray(Hash.ToCharArray(), 0, Hash.Length); HashBytes = FromByteString(Hash);
} }
else else
{ {
Salt = string.Empty; Salt = string.Empty;
Hash = a[2]; Hash = a[2];
HashBytes = Convert.FromBase64CharArray(Hash.ToCharArray(), 0, Hash.Length); HashBytes = FromByteString(Hash);
} }
} }
@ -68,7 +68,17 @@ namespace MediaBrowser.Model.Cryptography
{ {
Id = "SHA256"; Id = "SHA256";
SaltBytes = cryptoProvider2.GenerateSalt(); SaltBytes = cryptoProvider2.GenerateSalt();
Salt = Convert.ToBase64String(SaltBytes); Salt = BitConverter.ToString(SaltBytes).Replace("-", "");
}
private byte[] FromByteString(string ByteString)
{
List<byte> Bytes = new List<byte>();
for (int i = 0; i < ByteString.Length; i += 2)
{
Bytes.Add(Convert.ToByte(ByteString.Substring(i, 2),16));
}
return Bytes.ToArray();
} }
private string SerializeParameters() private string SerializeParameters()
{ {
@ -77,7 +87,7 @@ namespace MediaBrowser.Model.Cryptography
{ {
ReturnString += String.Format(",{0}={1}", KVP.Key, KVP.Value); ReturnString += String.Format(",{0}={1}", KVP.Key, KVP.Value);
} }
if (ReturnString[0] == ',') if ((!string.IsNullOrEmpty(ReturnString)) && ReturnString[0] == ',')
{ {
ReturnString = ReturnString.Remove(0, 1); ReturnString = ReturnString.Remove(0, 1);
} }
@ -86,7 +96,14 @@ namespace MediaBrowser.Model.Cryptography
public override string ToString() public override string ToString()
{ {
return String.Format("${0}${1}${2}${3}", Id, SerializeParameters(), Salt, Hash); string OutString = "$";
OutString += Id;
if (!string.IsNullOrEmpty(SerializeParameters()))
OutString += $"${SerializeParameters()}";
if (!string.IsNullOrEmpty(Salt))
OutString += $"${Salt}";
OutString += $"${Hash}";
return OutString;
} }
} }