/// <summary>
///User Verify PasswordHash
/// </summary>
/// <param name="password"></param>
/// <returns>bool</returns>
private bool VerifyPasswordHash(string password, byte[] passwordHash, byte[] passwordSalt)
{
bool IsVerifyed = default(bool);
try
{
//TODO:@AbdelRahman
//Avoid Multiple Return
using (var hmac = new System.Security.Cryptography.HMACMD5(passwordSalt))
{
var CoumputedHash = hmac.ComputeHash(System.Text.Encoding.ASCII.GetBytes(password));
IsVerifyed = true;
for (int i = 0; i < CoumputedHash.Length; i++)
{
if (CoumputedHash[i] != passwordHash[i])
{
IsVerifyed = false;
}
}
}
}
catch (Exception exception)
{
//Logger.Instance.LogException(exception, LogLevel.Medium);
IsVerifyed = false;
}
return(IsVerifyed);
}
public static string MakeTURNAuthToken(string companyNameOrTenant)
{
string key = GetTURNServersKey();
string servers = GetTURNServersList();
if (string.IsNullOrEmpty(key) || string.IsNullOrEmpty(servers))
{
return(string.Empty);
}
DateTime expirationTime = DateTime.UtcNow + TimeSpan.FromMinutes(long.Parse(GetAuthTokenLifetimeMinutes()));
string userCombo = $"{(long)((expirationTime - DateTime.UnixEpoch).TotalSeconds)}:{companyNameOrTenant}";
using (System.Security.Cryptography.HMACMD5 hashAlg = new System.Security.Cryptography.HMACMD5())
{
hashAlg.Key = Encoding.UTF8.GetBytes(key);
byte[] bytes = hashAlg.ComputeHash(Encoding.UTF8.GetBytes(userCombo));
string password = Convert.ToBase64String(bytes);
string token =
$"{{\"username\":\"{userCombo}\", \"password\":\"{password}\", " +
$"\"uris\":[{servers}]}}";
return(token);
}
}
/// <summary>
/// Computes a new hash of <paramref name="data"/> usign the <paramref name="key"/> specified.
/// </summary>
/// <param name="key">A byte array containing the key (secret) to use to generate a hash.</param>
/// <param name="data">A byte arrasy containing the data to be hashed.</param>
/// <returns>A new byte array containing the hash result.</returns>
public byte[] ComputeHash(byte[] key, byte[] data)
{
using (var hasher = new System.Security.Cryptography.HMACMD5(key))
{
return(hasher.ComputeHash(data));
}
}
//// NOTE: Leave out the finalizer altogether if this class doesn't
//// own unmanaged resources itself, but leave the other methods
//// exactly as they are.
//~Encryption()
//{
// // Finalizer calls Dispose(false)
// Dispose(false);
//}
// The bulk of the clean-up code is implemented in Dispose(bool)
protected virtual void Dispose(bool disposing)
{
if (disposing)
{
// Free managed resources.
lock (MacProviderLock)
{
if (_MacProvider != null)
{
_MacProvider.Dispose();
_MacProvider = null;
}
}
lock (RsaProviderLock)
{
if (_RsaProvider != null)
{
_RsaProvider.Dispose();
_RsaProvider = null;
}
}
if (_RsaSignatureHashAlgorithm != null)
{
_RsaSignatureHashAlgorithm.Dispose();
_RsaSignatureHashAlgorithm = null;
}
}
}
/// <summary>
///User Verify PasswordHash
/// </summary>
/// <param name="password"></param>
/// <returns>bool</returns>
private bool VerifyPasswordHash(string password, byte[] passwordHash, byte[] passwordSalt)
{
bool IsVerifyed = default(bool);
try
{
using (var hmac = new System.Security.Cryptography.HMACMD5(passwordSalt))
{
var CoumputedHash = hmac.ComputeHash(System.Text.Encoding.ASCII.GetBytes(password));
IsVerifyed = true;
for (int i = 0; i < CoumputedHash.Length; i++)
{
if (CoumputedHash[i] != passwordHash[i])
{
IsVerifyed = false;
}
}
}
}
catch (Exception exception)
{
IsVerifyed = false;
}
return(IsVerifyed);
}
public static Guid GetGuid(byte[] key, byte[] value)
{
var algorithm = new System.Security.Cryptography.HMACMD5();
var guid = HashHelper.GetGuid(algorithm, key, value);
algorithm.Dispose();
return(guid);
}
private void CreatePaswordHash(string password, out byte[] passHash, out byte[] passSalt)
{
using (var hmac = new System.Security.Cryptography.HMACMD5())
{
passSalt = hmac.Key;
passHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));
}
}
private byte[] ComputeHMACMD5HashByPassword(byte[] buf)
{
var hmacMd5 = new System.Security.Cryptography.HMACMD5(Encoding.UTF8.GetBytes(Password));
byte[] encCha = hmacMd5.ComputeHash(buf);
hmacMd5.Clear();
return(encCha);
}
public static Guid GetGuid(string key, long value)
{
var algorithm = new System.Security.Cryptography.HMACMD5();
var guid = HashHelper.GetGuid(algorithm, key, BitConverter.GetBytes(value));
algorithm.Dispose();
return(guid);
}
private static string CalculateHash(string orderRequest)
{
var hashEngine = new System.Security.Cryptography.HMACMD5(new byte[] { 14, 4, 78 });
byte[] hash = hashEngine.ComputeHash(Encoding.UTF8.GetBytes(orderRequest));
string hashString = string.Empty;
foreach (byte x in hash)
{
hashString += string.Format("{0:x2}", x);
}
return(hashString);
}
/// <summary>
/// 独有干扰MD5加密
/// </summary>
/// <param name="data">待加密的数据</param>
/// <param name="key">加密的密钥</param>
/// <returns></returns>
public static string HMACMD5(this string data, byte[] key)
{
if (string.IsNullOrEmpty(data))
{
return(string.Empty);
}
System.Security.Cryptography.HMACMD5 md5Provider = new System.Security.Cryptography.HMACMD5(key);
byte[] hashBuff = md5Provider.ComputeHash(data.ToUpper().ToBytes());
return(hashBuff.ToHexString());
}
/// <summary>
///
/// </summary>
/// <param name="fileLocation"></param>
/// <returns></returns>
public static string CalculateMd5CheckSum(string fileLocation)
{
System.Security.Cryptography.HashAlgorithm hmacMd5 = new System.Security.Cryptography.HMACMD5();
byte[] hashByte;
using (Stream fileStream = new FileStream(fileLocation, FileMode.Open))
using (Stream bufferedStream = new BufferedStream(fileStream, 1200000))
hashByte = hmacMd5.ComputeHash(bufferedStream);
StringBuilder sbResult = new StringBuilder();
for (int i = 0; i < hashByte.Length; i++)
{
sbResult.Append(hashByte[i].ToString("x2"));
}
return sbResult.ToString().ToUpper();
}
private bool VerifyHash(string password, string storedHash)
{
if (string.IsNullOrWhiteSpace(password))
{
throw new ArgumentException("Value cannot be empty, null or whitespace only string.", "password");
}
byte[] key = HashConverter.PlainTextToBytes(Secrets.MD5Key);
using (var hmac = new System.Security.Cryptography.HMACMD5(key))
{
var computedHash = HashConverter.ToString(hmac.ComputeHash(HashConverter.PlainTextToBytes(password)));
return(storedHash == computedHash);
}
}
public static bool VerifyPasswordHash(string password, byte[] passwordHash, byte[] passwordSalt)
{
using (var hmac = new System.Security.Cryptography.HMACMD5(passwordSalt))
{
var computedHash = hmac.ComputeHash(Encoding.UTF8.GetBytes(password));
for (int i = 0; i < computedHash.Length; i++)
{
if (computedHash[i] != passwordHash[i])
{
return(false);
}
}
}
return(true);
}
/// <summary>
/// Returns HMAC SHA256 hash value of <paramref name="name"/> with "u_" prefix (to comply with SignalR naming requirements)
/// </summary>
public static string GetNameHash(string input, string hashKey)
{
StringBuilder hash = new StringBuilder("u_");
using (System.Security.Cryptography.HMACMD5 hashAlg = new System.Security.Cryptography.HMACMD5())
{
hashAlg.Key = Encoding.UTF8.GetBytes(hashKey.Substring(Math.Min(0, hashKey.Length - 16)));
byte[] bytes = hashAlg.ComputeHash(Encoding.UTF8.GetBytes(input));
for (int i = 0; i < bytes.Length; i++)
{
hash.Append(bytes[i].ToString("x2"));
}
return(hash.ToString());
}
}
//CRAM-MD5で返す文字列を計算する
private static string CreateCramMd5ResponseString(string challenge, string username, string password)
{
//デコードする
byte[] decCha = Convert.FromBase64String(challenge);
//passwordをキーとしてHMAC-MD5で暗号化する
System.Security.Cryptography.HMACMD5 hmacMd5 = new System.Security.Cryptography.HMACMD5(Encoding.UTF8.GetBytes(password));
byte[] encCha = hmacMd5.ComputeHash(decCha);
hmacMd5.Clear();
//16進数の文字列にする
string hexCha = BitConverter.ToString(encCha).Replace("-", "").ToLower();
//usernameを付ける
hexCha = username + " " + hexCha;
//Base64で文字列にする
return(Convert.ToBase64String(Encoding.UTF8.GetBytes(hexCha)));
}
/// <summary>
/// 不使用BouncyCastle的写法
/// </summary>
/// <param name="data"></param>
/// <param name="key"></param>
/// <returns></returns>
public static byte[] Compute2(string data, string key)
{
if (string.IsNullOrEmpty(data))
{
throw new ArgumentNullException(nameof(data));
}
if (string.IsNullOrEmpty(key))
{
throw new ArgumentNullException(nameof(key));
}
using (var hmacMd5 = new System.Security.Cryptography.HMACMD5(Encoding.UTF8.GetBytes(key)))
{
return(hmacMd5.ComputeHash(Encoding.UTF8.GetBytes(data)));
}
}
public void Execute()
{
ProgressChanged(0, 1);
System.Security.Cryptography.HMAC hmacAlgorithm;
switch ((HMACSettings.HashFunction)settings.SelectedHashFunction)
{
case HMACSettings.HashFunction.MD5:
hmacAlgorithm = new System.Security.Cryptography.HMACMD5();
break;
case HMACSettings.HashFunction.RIPEMD160:
hmacAlgorithm = new System.Security.Cryptography.HMACRIPEMD160();
break;
case HMACSettings.HashFunction.SHA1:
hmacAlgorithm = new System.Security.Cryptography.HMACSHA1();
break;
case HMACSettings.HashFunction.SHA256:
hmacAlgorithm = new System.Security.Cryptography.HMACSHA256();
break;
case HMACSettings.HashFunction.SHA384:
hmacAlgorithm = new System.Security.Cryptography.HMACSHA384();
break;
case HMACSettings.HashFunction.SHA512:
hmacAlgorithm = new System.Security.Cryptography.HMACSHA512();
break;
default:
GuiLogMessage("No hash algorithm for HMAC selected, using MD5.", NotificationLevel.Warning);
hmacAlgorithm = new System.Security.Cryptography.HMACMD5();
break;
}
hmacAlgorithm.Key = key;
OutputData = (inputData != null) ? hmacAlgorithm.ComputeHash(inputData.CreateReader()) : hmacAlgorithm.ComputeHash(new byte[] {});
GuiLogMessage(String.Format("HMAC computed. (using hash algorithm {0}: {1})", settings.SelectedHashFunction, hmacAlgorithm.GetType().Name), NotificationLevel.Info);
ProgressChanged(1, 1);
}
private byte[] CreateHash(string password)
{
if (string.IsNullOrWhiteSpace(password))
{
throw new ArgumentException("Value cannot be empty, null or whitespace only string.", "password");
}
string key = Secrets.MD5Key;
byte[] keyByte = HashConverter.PlainTextToBytes(key);
byte[] hash;
using (var hmac = new System.Security.Cryptography.HMACMD5(keyByte))
{
hash = hmac.ComputeHash(HashConverter.PlainTextToBytes(password));
}
return(hash);
}
private static string Encrypt(string secretSalt, string clearSecret)
{
try
{
string returnValue = string.Empty;
secretSalt = GetHexString(secretSalt);
clearSecret = GetHexString(clearSecret);
System.Security.Cryptography.HMACMD5 hash = new System.Security.Cryptography.HMACMD5();
byte[] returnBytes = new byte[secretSalt.Length / 2];
for (int i = 0; i < returnBytes.Length; i++)
{
returnBytes[i] = Convert.ToByte(secretSalt.Substring(i * 2, 2), 16);
}
hash.Key = returnBytes;
string encodedSecret = Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(clearSecret)));
#pragma warning disable CA1305 // Specify IFormatProvider
string newSecret = string.Format("{0}{1}", secretSalt, encodedSecret);
#pragma warning restore CA1305 // Specify IFormatProvider
byte[] bytes = Encoding.UTF8.GetBytes(newSecret);
StringBuilder sb = new StringBuilder();
foreach (byte bt in bytes)
{
#pragma warning disable CA1305 // Specify IFormatProvider
sb.AppendFormat("{0:x2}", bt);
#pragma warning restore CA1305 // Specify IFormatProvider
}
returnValue = sb.ToString();
return(returnValue);
}
catch (Exception e)
{
if (e.InnerException != null)
{
throw e.InnerException;
}
throw;
}
}
/// <summary>
/// Computes the HMAC MD5 hash value for the specified byte array.
/// </summary>
/// <param name="bytes">The input to compute the hash code for.</param>
/// <returns>The computed hash code as GUID.</returns>
/// <remarks>
/// One instance of the MD5 Crypto Service Provider
/// can't operate properly with multiple simultaneous threads.
/// Use lock to solve this problem.
/// </remarks>
public Guid ComputeHash(byte[] bytes, byte[] hashKeyBytes = null)
{
byte[] hash;
// If HMAC hash key is not supplied then...
if (hashKeyBytes == null)
{
lock (MacProviderLock)
// Use default from config file.
hash = MacProvider.ComputeHash(bytes);
}
else
{
// Create MD5HMAC hash provider.
var macProvider = new System.Security.Cryptography.HMACMD5();
macProvider.Key = hashKeyBytes;
hash = macProvider.ComputeHash(bytes);
}
return(new Guid(hash));
}
/// <summary>
///User Create PasswordHash
/// </summary>
/// <param name="password"></param>
/// <returns>bool</returns>
private UserPasswordDTO CreatePasswordHash(string password)
{
#region Declare a return type with initial value.
UserPasswordDTO userPasswordDTO = null;
#endregion
try
{
using (var hmac = new System.Security.Cryptography.HMACMD5())
{
userPasswordDTO = new UserPasswordDTO()
{
PasswordSalt = hmac.Key,
PasswordHash = hmac.ComputeHash(System.Text.Encoding.ASCII.GetBytes(password))
};
}
}
catch (Exception exception)
{
// Logger.Instance.LogException(exception, LogLevel.Medium);
}
return(userPasswordDTO);
}
private static string GetMd5Hash(string inp)
{
byte[] keyInBytes = System.Text.UTF8Encoding.UTF8.GetBytes("secret_key");
byte[] payloadInBytes = System.Text.UTF8Encoding.UTF8.GetBytes(inp);
var md5 = new System.Security.Cryptography.HMACMD5(keyInBytes);
byte[] hash = md5.ComputeHash(payloadInBytes);
var result = BitConverter.ToString(hash).Replace("-", string.Empty);
return result;
}
/// <summary>
/// MD5 hash algorithm plus hmac.
/// </summary>
public MD5HMAC()
{
hmac = new System.Security.Cryptography.HMACMD5();
}
private static byte[] MD5Encrypt(Stream stream, string key, Encoding encode)
{
System.Security.Cryptography.HMACMD5 hmac = new System.Security.Cryptography.HMACMD5(encode.GetBytes(key));
return(hmac.ComputeHash(stream));
}
protected void Page_Load(object sender, System.EventArgs e)
{
if (!IsPostBack)
{
StringBuilder sb = new StringBuilder();
if (Request.QueryString["tbl"] != null && Request.QueryString["key"] != null)
{
/* prevent manually constructed request that would lead to information leakage via hashing of
* query string and session secret, only apply for database related retrieval which are all generated by the system
*/
ValidatedQS();
string dbConnectionString;
if (Request.QueryString["sys"] != null)
{
sid = byte.Parse(Request.QueryString["sys"].ToString());
}
else
{
throw new Exception("Please make sure '&sys=' is present and try again.");
}
if (new AdminSystem().IsMDesignDb(Request.QueryString["tbl"].ToString()))
{
dbConnectionString = base.SysConnectStr(sid);
}
else
{
dbConnectionString = base.AppConnectStr(sid);
}
DataTable dt = null;
try
{
if (Request.QueryString["knm"] != null && Request.QueryString["col"] != null) // ImageButton
{
dt = (new AdminSystem()).GetDbImg(Request.QueryString["key"].ToString(), Request.QueryString["tbl"].ToString(), Request.QueryString["knm"].ToString(), Request.QueryString["col"].ToString(), dbConnectionString, base.AppPwd(sid));
Response.Buffer = true; Response.ClearHeaders(); Response.ClearContent();
string fileContent = RO.Common3.Utils.DecodeFileStream((byte[])dt.Rows[0][0]);
string fileName = "";
string mimeType = "application/octet";
string contentBase64 = "";
System.Web.Script.Serialization.JavaScriptSerializer jss = new System.Web.Script.Serialization.JavaScriptSerializer();
try
{
RO.Common3.FileUploadObj fileInfo = jss.Deserialize <RO.Common3.FileUploadObj>(fileContent);
mimeType = fileInfo.mimeType;
fileName = fileInfo.fileName;
contentBase64 = fileInfo.base64;
}
catch
{
try
{
List <RO.Common3._ReactFileUploadObj> fileList = jss.Deserialize <List <RO.Common3._ReactFileUploadObj> >(fileContent);
List <FileUploadObj> x = new List <FileUploadObj>();
foreach (var fileInfo in fileList)
{
mimeType = fileInfo.mimeType;
fileName = fileInfo.fileName;
contentBase64 = fileInfo.base64;
break;
}
}
catch
{
contentBase64 = fileContent;
fileName = "";
mimeType = "image/jpeg";
}
}
string contentDisposition = "attachment";
if (!string.IsNullOrEmpty(Request.QueryString["inline"]) && Request.QueryString["inline"] == "Y")
{
contentDisposition = "inline";
}
byte[] content = new byte[0];
try
{
content = (byte[])Convert.FromBase64String(contentBase64);
Response.ContentType = mimeType;
Response.AppendHeader("Content-Disposition", contentDisposition + "; Filename=" + fileName);
}
catch (Exception ex)
{
try
{
content = (byte[])dt.Rows[0][0];
Response.ContentType = "image/jpeg";
Response.AppendHeader("Content-Disposition", contentDisposition + "; Filename=");
}
catch { }
}
Response.Flush();
Response.BinaryWrite(content);
Response.End();
}
else // Document.
{
dt = (new AdminSystem()).GetDbDoc(Request.QueryString["key"].ToString(), Request.QueryString["tbl"].ToString(), dbConnectionString, base.AppPwd(sid));
Response.Buffer = true; Response.ClearHeaders(); Response.ClearContent();
Response.ContentType = dt.Rows[0]["MimeType"].ToString();
string contentDisposition = "attachment";
if (!string.IsNullOrEmpty(Request.QueryString["inline"]) && Request.QueryString["inline"] == "Y")
{
contentDisposition = "inline";
}
Response.AppendHeader("Content-Disposition", contentDisposition + "; Filename=" + dt.Rows[0]["DocName"].ToString());
//Response.AppendHeader("Content-Disposition", "Attachment; Filename=" + dt.Rows[0]["DocName"].ToString());
Response.BinaryWrite((byte[])dt.Rows[0]["DocImage"]);
Response.End();
}
}
catch (Exception err) {
if (!(err is ThreadAbortException))
{
ApplicationAssert.CheckCondition(false, "DnLoadModule", "", err.Message);
}
}
}
else if (Request.QueryString["file"] != null)
{
/* file based download needs to be catered manually by webrule for protected contents
* via access control in the IIS directory level(no access) and gated by dnloadmodule via server side transfer
*/
try
{
bool pub = true;
if (LImpr != null)
{
string UsrGroup = (char)191 + base.LImpr.UsrGroups + (char)191;
if (UsrGroup.IndexOf((char)191 + "25" + (char)191) < 0 && UsrGroup.IndexOf((char)191 + "5" + (char)191) < 0)
{
pub = true;
}
else
{
pub = false;
}
}
string fileName = Request.QueryString["file"].ToString();
string key = Request.QueryString["key"].ToString();
string DownloadLinkCode = Session.SessionID;
byte[] Download_code = System.Text.Encoding.ASCII.GetBytes(DownloadLinkCode);
System.Security.Cryptography.HMACMD5 bkup_hmac = new System.Security.Cryptography.HMACMD5(Download_code);
byte[] Download_hash = bkup_hmac.ComputeHash(System.Text.Encoding.ASCII.GetBytes(fileName));
string Download_hashString = BitConverter.ToString(Download_hash);
bool allowDownload = Download_hashString == key;
fileName = fileName.ToLower().Replace("/guarded/", "/source/");
string url = fileName;
string fullfileName = Server.MapPath(fileName); // we enforce everything file for download is under ../files
System.IO.FileInfo file = new System.IO.FileInfo(fullfileName);
string oname = file.Name;
if (!allowDownload && pub && !(file.Name.StartsWith("Pub") || file.Name.StartsWith("pub")))
{
if (file.Name.EndsWith(".wmv"))
{
file = new FileInfo(file.DirectoryName + "/PubMsg.wmv");
url = fileName.Replace(oname, "PubMsg.wmv");
}
else
{
if (LUser == null || LUser.LoginName == "Anonymous")
{
string loginUrl = System.Web.Security.FormsAuthentication.LoginUrl;
if (string.IsNullOrEmpty(loginUrl))
{
loginUrl = "MyAccount.aspx";
}
Response.Redirect(loginUrl + (loginUrl.IndexOf('?') > 0 ? "&" : "?") + "wrn=1&ReturnUrl=" + Server.UrlEncode(Request.Url.PathAndQuery));
}
else
{
throw new Exception("Access Denied");
}
}
}
Response.Buffer = true; Response.ClearHeaders(); Response.ClearContent();
Response.ContentType = GetMimeTypeFromExtension(file.Extension);
Response.AddHeader("Content-Disposition", "Attachment; Filename=" + file.Name);
Response.AddHeader("Content-Length", file.Length.ToString());
Server.Transfer(url);
}
catch (Exception err) { ApplicationAssert.CheckCondition(false, "DnLoadModule", "", err.Message); }
}
}
}
/// <summary>
/// Register an account. Returns true if succeed, otherwise return false and write logs.
/// </summary>
/// <param name="username"></param>
/// <param name="rawPassword"></param>
/// <param name="hashType"></param>
/// <returns></returns>
public static bool RegisterUser(string username, string rawPassword, int hashType)
{
try
{
string hashSaltBase64 = null;
string passwordHashBase64 = null;
byte[] saltBytes;
System.Security.Cryptography.HMAC hmac;
switch (hashType)
{
case (int)Enums.HMAC.MD5:
hashSaltBase64 = null;
using (System.Security.Cryptography.MD5 hasher = System.Security.Cryptography.MD5.Create())
{
passwordHashBase64 = Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
}
break;
case (int)Enums.HMAC.RIPEMD160:
hashSaltBase64 = null;
using (System.Security.Cryptography.RIPEMD160 hasher = System.Security.Cryptography.RIPEMD160.Create())
{
passwordHashBase64 = Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
}
break;
case (int)Enums.HMAC.SHA1:
hashSaltBase64 = null;
using (System.Security.Cryptography.SHA1 hasher = System.Security.Cryptography.SHA1.Create())
{
passwordHashBase64 = Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
}
break;
case (int)Enums.HMAC.SHA256:
hashSaltBase64 = null;
using (System.Security.Cryptography.SHA256 hasher = System.Security.Cryptography.SHA256.Create())
{
passwordHashBase64 = Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
}
break;
case (int)Enums.HMAC.SHA384:
hashSaltBase64 = null;
using (System.Security.Cryptography.SHA384 hasher = System.Security.Cryptography.SHA384.Create())
{
passwordHashBase64 = Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
}
break;
case (int)Enums.HMAC.SHA512:
hashSaltBase64 = null;
using (System.Security.Cryptography.SHA512 hasher = System.Security.Cryptography.SHA512.Create())
{
passwordHashBase64 = Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
}
break;
case (int)Enums.HMAC.HMACMD5:
saltBytes = new byte[Settings.InitSetting.Instance.MaxNumberOfBytesInSalt];
new Random().NextBytes(saltBytes);
hashSaltBase64 = Convert.ToBase64String(saltBytes);
hmac = new System.Security.Cryptography.HMACMD5(saltBytes);
passwordHashBase64 = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
break;
case (int)Enums.HMAC.HMACRIPEMD160:
saltBytes = new byte[Settings.InitSetting.Instance.MaxNumberOfBytesInSalt];
new Random().NextBytes(saltBytes);
hashSaltBase64 = Convert.ToBase64String(saltBytes);
hmac = new System.Security.Cryptography.HMACRIPEMD160(saltBytes);
passwordHashBase64 = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
break;
case (int)Enums.HMAC.HMACSHA1:
saltBytes = new byte[Settings.InitSetting.Instance.MaxNumberOfBytesInSalt];
new Random().NextBytes(saltBytes);
hashSaltBase64 = Convert.ToBase64String(saltBytes);
hmac = new System.Security.Cryptography.HMACSHA1(saltBytes);
passwordHashBase64 = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
break;
case (int)Enums.HMAC.HMACSHA256:
saltBytes = new byte[Settings.InitSetting.Instance.MaxNumberOfBytesInSalt];
new Random().NextBytes(saltBytes);
hashSaltBase64 = Convert.ToBase64String(saltBytes);
hmac = new System.Security.Cryptography.HMACSHA256(saltBytes);
passwordHashBase64 = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
break;
case (int)Enums.HMAC.HMACSHA384:
saltBytes = new byte[Settings.InitSetting.Instance.MaxNumberOfBytesInSalt];
new Random().NextBytes(saltBytes);
hashSaltBase64 = Convert.ToBase64String(saltBytes);
hmac = new System.Security.Cryptography.HMACSHA384(saltBytes);
passwordHashBase64 = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
break;
case (int)Enums.HMAC.HMACSHA512:
saltBytes = new byte[Settings.InitSetting.Instance.MaxNumberOfBytesInSalt];
new Random().NextBytes(saltBytes);
hashSaltBase64 = Convert.ToBase64String(saltBytes);
hmac = new System.Security.Cryptography.HMACSHA512(saltBytes);
passwordHashBase64 = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(rawPassword)));
break;
default:
throw new NotImplementedException("Unspecified hash type.");
}
var acc = new Account()
{
Uname = username,
HashSaltBase64 = hashSaltBase64,
HashTypeId = hashType,
PasswordHashBase64 = passwordHashBase64,
IsTwoFactor = false,
TwoFactorSecretBase32 = null
};
using (AuthorizeEntities ctx = new AuthorizeEntities())
{
ctx.Accounts.Add(acc);
ctx.SaveChanges();
}
}
catch (Exception ex)
{
Log4netLogger.Error(MethodBase.GetCurrentMethod().DeclaringType, "Cannot register user", ex);
return(false);
}
return(true);
}
protected void Page_Load(object sender, System.EventArgs e)
{
if (!IsPostBack)
{
StringBuilder sb = new StringBuilder();
if (Request.QueryString["tbl"] != null && Request.QueryString["key"] != null)
{
/* prevent manually constructed request that would lead to information leakage via hashing of
* query string and session secret, only apply for database related retrieval which are all generated by the system
*/
ValidatedQS();
string dbConnectionString;
if (Request.QueryString["sys"] != null)
{
sid = byte.Parse(Request.QueryString["sys"].ToString());
}
else
{
throw new Exception("Please make sure '&sys=' is present and try again.");
}
if (new AdminSystem().IsMDesignDb(Request.QueryString["tbl"].ToString()))
{
dbConnectionString = base.SysConnectStr(sid);
}
else
{
dbConnectionString = base.AppConnectStr(sid);
}
if (Request.QueryString["multi"] != null)
{
SaveMultiDocUpload(dbConnectionString, base.AppPwd(sid), sid, true);
}
else
{
SaveUpload(dbConnectionString, sid);
}
return;
/* To be Deleted:
* DataTable dt = null;
* try
* {
* if (Request.QueryString["knm"] != null && Request.QueryString["col"] != null) // ImageButton
* {
* dt = (new AdminSystem()).GetDbImg(Request.QueryString["key"].ToString(), Request.QueryString["tbl"].ToString(), Request.QueryString["knm"].ToString(), Request.QueryString["col"].ToString(), dbConnectionString, base.AppPwd(sid));
* Response.Buffer = true; Response.ClearHeaders(); Response.ClearContent();
* Response.ContentType = "image/jpeg";
* Response.AppendHeader("Content-Disposition", "Attachment; Filename=");
* Response.BinaryWrite((byte[])dt.Rows[0][0]);
* HttpContext.Current.ApplicationInstance.CompleteRequest();
* }
* else // Document.
* {
* dt = (new AdminSystem()).GetDbDoc(Request.QueryString["key"].ToString(), Request.QueryString["tbl"].ToString(), dbConnectionString, base.AppPwd(sid));
* Response.Buffer = true; Response.ClearHeaders(); Response.ClearContent();
* Response.ContentType = dt.Rows[0]["MimeType"].ToString();
* Response.AppendHeader("Content-Disposition", "Attachment; Filename=" + dt.Rows[0]["DocName"].ToString());
* Response.BinaryWrite((byte[])dt.Rows[0]["DocImage"]);
* Response.End();
* }
* }
* catch (Exception err) { ApplicationAssert.CheckCondition(false, "DnLoadModule", "", err.Message); }
*/
}
else if (Request.QueryString["file"] != null)
{
/* file based download needs to be catered manually by webrule for protected contents
* via access control in the IIS directory level(no access) and gated by dnloadmodule via server side transfer
*/
try
{
bool pub = true;
if (LImpr != null)
{
string UsrGroup = (char)191 + base.LImpr.UsrGroups + (char)191;
if (UsrGroup.IndexOf((char)191 + "25" + (char)191) < 0 && UsrGroup.IndexOf((char)191 + "5" + (char)191) < 0)
{
pub = true;
}
else
{
pub = false;
}
}
string fileName = Request.QueryString["file"].ToString();
string key = Request.QueryString["key"].ToString();
string DownloadLinkCode = Session.SessionID;
byte[] Download_code = System.Text.Encoding.ASCII.GetBytes(DownloadLinkCode);
System.Security.Cryptography.HMACMD5 bkup_hmac = new System.Security.Cryptography.HMACMD5(Download_code);
byte[] Download_hash = bkup_hmac.ComputeHash(System.Text.Encoding.ASCII.GetBytes(fileName));
string Download_hashString = BitConverter.ToString(Download_hash);
bool allowDownload = Download_hashString == key;
fileName = fileName.ToLower().Replace("/guarded/", "/source/");
string url = fileName;
string fullfileName = Server.MapPath(fileName); // we enforce everything file for download is under ../files
System.IO.FileInfo file = new System.IO.FileInfo(fullfileName);
string oname = file.Name;
if (!allowDownload && pub && !(file.Name.StartsWith("Pub") || file.Name.StartsWith("pub")))
{
if (file.Name.EndsWith(".wmv"))
{
file = new FileInfo(file.DirectoryName + "/PubMsg.wmv");
url = fileName.Replace(oname, "PubMsg.wmv");
}
else
{
if (LUser == null || LUser.LoginName == "Anonymous")
{
string loginUrl = System.Web.Security.FormsAuthentication.LoginUrl;
if (string.IsNullOrEmpty(loginUrl))
{
loginUrl = "MyAccount.aspx";
}
this.Redirect(loginUrl + (loginUrl.IndexOf('?') > 0 ? "&" : "?") + "wrn=1&ReturnUrl=" + Server.UrlEncode(Request.Url.PathAndQuery));
}
else
{
throw new Exception("Access Denied");
}
}
}
Response.Buffer = true; Response.ClearHeaders(); Response.ClearContent();
Response.ContentType = GetMimeTypeFromExtension(file.Extension);
Response.AddHeader("Content-Disposition", "Attachment; Filename=" + file.Name);
Response.AddHeader("Content-Length", file.Length.ToString());
Server.Transfer(url);
}
catch (Exception err) { ApplicationAssert.CheckCondition(false, "DnLoadModule", "", err.Message); }
}
}
}
public static byte[] HMAC_MD5(byte [] key, byte [] data)
{
System.Security.Cryptography.HMACMD5 hmacmd5 = new System.Security.Cryptography.HMACMD5(key);
return(hmacmd5.ComputeHash(data));
}
public static bool Login(string username, string password)
{
bool isOk = false;
byte[] saltBytes;
System.Security.Cryptography.HMAC hmac;
try
{
using (AuthorizeEntities ctx = new AuthorizeEntities())
{
var acc = ctx.Accounts.Where(x => x.Uname == username).FirstOrDefault();
if (acc != null)
{
switch (acc.HashTypeId)
{
case (int)Enums.HMAC.MD5:
using (System.Security.Cryptography.MD5 hasher = System.Security.Cryptography.MD5.Create())
{
isOk = acc.PasswordHashBase64.Equals(Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(password))));
}
break;
case (int)Enums.HMAC.RIPEMD160:
using (System.Security.Cryptography.RIPEMD160 hasher = System.Security.Cryptography.RIPEMD160.Create())
{
isOk = acc.PasswordHashBase64.Equals(Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(password))));
}
break;
case (int)Enums.HMAC.SHA1:
using (System.Security.Cryptography.SHA1 hasher = System.Security.Cryptography.SHA1.Create())
{
isOk = acc.PasswordHashBase64.Equals(Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(password))));
}
break;
case (int)Enums.HMAC.SHA256:
using (System.Security.Cryptography.SHA256 hasher = System.Security.Cryptography.SHA256.Create())
{
isOk = acc.PasswordHashBase64.Equals(Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(password))));
}
break;
case (int)Enums.HMAC.SHA384:
using (System.Security.Cryptography.SHA384 hasher = System.Security.Cryptography.SHA384.Create())
{
isOk = acc.PasswordHashBase64.Equals(Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(password))));
}
break;
case (int)Enums.HMAC.SHA512:
using (System.Security.Cryptography.SHA512 hasher = System.Security.Cryptography.SHA512.Create())
{
isOk = acc.PasswordHashBase64.Equals(Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(password))));
}
break;
case (int)Enums.HMAC.HMACMD5:
saltBytes = Convert.FromBase64String(acc.HashSaltBase64);
hmac = new System.Security.Cryptography.HMACMD5(saltBytes);
isOk = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(password))).Equals(acc.PasswordHashBase64);
break;
case (int)Enums.HMAC.HMACRIPEMD160:
saltBytes = Convert.FromBase64String(acc.HashSaltBase64);
hmac = new System.Security.Cryptography.HMACRIPEMD160(saltBytes);
isOk = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(password))).Equals(acc.PasswordHashBase64);
break;
case (int)Enums.HMAC.HMACSHA1:
saltBytes = Convert.FromBase64String(acc.HashSaltBase64);
hmac = new System.Security.Cryptography.HMACSHA1(saltBytes);
isOk = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(password))).Equals(acc.PasswordHashBase64);
break;
case (int)Enums.HMAC.HMACSHA256:
saltBytes = Convert.FromBase64String(acc.HashSaltBase64);
hmac = new System.Security.Cryptography.HMACSHA256(saltBytes);
isOk = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(password))).Equals(acc.PasswordHashBase64);
break;
case (int)Enums.HMAC.HMACSHA384:
saltBytes = Convert.FromBase64String(acc.HashSaltBase64);
hmac = new System.Security.Cryptography.HMACSHA384(saltBytes);
isOk = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(password))).Equals(acc.PasswordHashBase64);
break;
case (int)Enums.HMAC.HMACSHA512:
saltBytes = Convert.FromBase64String(acc.HashSaltBase64);
hmac = new System.Security.Cryptography.HMACSHA512(saltBytes);
isOk = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(password))).Equals(acc.PasswordHashBase64);
break;
default:
throw new NotImplementedException("Unspecified hash type.");
}
}
}
}
catch (Exception ex)
{
Log4netLogger.Error(MethodBase.GetCurrentMethod().DeclaringType, "Cannot login", ex);
isOk = false;
}
return(isOk);
}
