private bool IsSuccessfulLegacyPassword(string hashedPassword, string providedPassword)
{
if (!string.IsNullOrEmpty(_legacyMachineKeySettings.Value.MachineKeyDecryptionKey))
{
try
{
var decryptedPassword = DecryptLegacyPassword(
hashedPassword,
_legacyMachineKeySettings.Value.MachineKeyDecryption,
_legacyMachineKeySettings.Value.MachineKeyDecryptionKey);
return(decryptedPassword == providedPassword);
}
catch (Exception ex)
{
_logger.LogError(
ex,
"Could not decrypt password even that a DecryptionKey is provided. This means the DecryptionKey is wrong.");
return(false);
}
}
var result = LegacyPasswordSecurity.VerifyPassword(Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName, providedPassword, hashedPassword);
return(result || LegacyPasswordSecurity.VerifyLegacyHashedPassword(providedPassword, hashedPassword));
}
public MemberPasswordHasher(LegacyPasswordSecurity legacyPasswordHasher, IJsonSerializer jsonSerializer)
: this(
legacyPasswordHasher,
jsonSerializer,
StaticServiceProvider.Instance.GetRequiredService <IOptions <LegacyPasswordMigrationSettings> >(),
StaticServiceProvider.Instance.GetRequiredService <ILogger <MemberPasswordHasher> >())
{
}
public MemberPasswordHasher(
LegacyPasswordSecurity legacyPasswordHasher,
IJsonSerializer jsonSerializer,
IOptions <LegacyPasswordMigrationSettings> legacyMachineKeySettings,
ILogger <MemberPasswordHasher> logger)
: base(legacyPasswordHasher, jsonSerializer)
{
_legacyMachineKeySettings = legacyMachineKeySettings;
_logger = logger;
}
public void Get_Stored_Password_Hashed()
{
IPasswordConfiguration passwordConfiguration = Mock.Of <IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);
var passwordSecurity = new LegacyPasswordSecurity();
var salt = LegacyPasswordSecurity.GenerateSalt();
var stored = salt + "ThisIsAHashedPassword";
var result = passwordSecurity.ParseStoredHashPassword(passwordConfiguration.HashAlgorithmType, stored, out string initSalt);
Assert.AreEqual("ThisIsAHashedPassword", result);
}
public void Format_Pass_For_Storage_Hashed()
{
IPasswordConfiguration passwordConfiguration = Mock.Of <IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);
var passwordSecurity = new LegacyPasswordSecurity();
var salt = LegacyPasswordSecurity.GenerateSalt();
var stored = "ThisIsAHashedPassword";
var result = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, stored, salt);
Assert.AreEqual(salt + "ThisIsAHashedPassword", result);
}
public void Check_Password_Legacy_v4_SHA1()
{
const string clearText = "ThisIsAHashedPassword";
var clearTextUnicodeBytes = Encoding.Unicode.GetBytes(clearText);
using var algorithm = new HMACSHA1(clearTextUnicodeBytes);
var dbPassword = Convert.ToBase64String(algorithm.ComputeHash(clearTextUnicodeBytes));
var result = new LegacyPasswordSecurity().VerifyLegacyHashedPassword(clearText, dbPassword);
Assert.IsTrue(result);
}
public void Check_Password_Hashed_KeyedHashAlgorithm()
{
IPasswordConfiguration passwordConfiguration = Mock.Of <IPasswordConfiguration>(x => x.HashAlgorithmType == Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName);
var passwordSecurity = new LegacyPasswordSecurity();
var pass = "******";
var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out string salt);
var storedPassword = passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);
var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);
Assert.IsTrue(result);
}
public void Check_Password_Hashed_Non_KeyedHashAlgorithm()
{
var passwordConfiguration = Mock.Of <IPasswordConfiguration>(x => x.HashAlgorithmType == "SHA1");
var passwordSecurity = new LegacyPasswordSecurity();
var pass = "******";
var hashed = passwordSecurity.HashNewPassword(passwordConfiguration.HashAlgorithmType, pass, out var salt);
var storedPassword =
passwordSecurity.FormatPasswordForStorage(passwordConfiguration.HashAlgorithmType, hashed, salt);
var result = passwordSecurity.VerifyPassword(passwordConfiguration.HashAlgorithmType, "ThisIsAHashedPassword", storedPassword);
Assert.IsTrue(result);
}
public void Check_Salt_Length()
{
var lastLength = 0;
for (var i = 0; i < 10000; i++)
{
var result = LegacyPasswordSecurity.GenerateSalt();
if (i > 0)
{
Assert.AreEqual(lastLength, result.Length);
}
lastLength = result.Length;
}
}
/// <summary>
/// Verifies a user's hashed password
/// </summary>
/// <param name="user"></param>
/// <param name="hashedPassword"></param>
/// <param name="providedPassword"></param>
/// <returns></returns>
/// <exception cref="InvalidOperationException">Thrown when the correct hashing algorith cannot be determined</exception>
public override PasswordVerificationResult VerifyHashedPassword(MemberIdentityUser user, string hashedPassword, string providedPassword)
{
if (user is null)
{
throw new ArgumentNullException(nameof(user));
}
var isPasswordAlgorithmKnown = user.PasswordConfig.IsNullOrWhiteSpace() == false &&
user.PasswordConfig != Constants.Security.UnknownPasswordConfigJson;
// if there's password config use the base implementation
if (isPasswordAlgorithmKnown)
{
PasswordVerificationResult result = base.VerifyHashedPassword(user, hashedPassword, providedPassword);
if (result != PasswordVerificationResult.Failed)
{
return(result);
}
}
// We need to check for clear text passwords from members as the first thing. This was possible in v8 :(
else if (IsSuccessfulLegacyPassword(hashedPassword, providedPassword))
{
return(PasswordVerificationResult.SuccessRehashNeeded);
}
// Else we need to detect what the password is. This will be the case
// for upgrades since no password config will exist.
byte[]? decodedHashedPassword = null;
var isAspNetIdentityHash = false;
try
{
decodedHashedPassword = Convert.FromBase64String(hashedPassword);
isAspNetIdentityHash = true;
}
catch (Exception)
{
// ignored - decoding throws
}
// check for default ASP.NET Identity password hash flags
if (isAspNetIdentityHash)
{
if (decodedHashedPassword?[0] == 0x00 || decodedHashedPassword?[0] == 0x01)
{
return(base.VerifyHashedPassword(user, hashedPassword, providedPassword));
}
if (isPasswordAlgorithmKnown)
{
_logger.LogError("Unable to determine member password hashing algorithm");
}
else
{
_logger.LogDebug(
"Unable to determine member password hashing algorithm, but this can happen when member enters a wrong password, before it has be rehashed");
}
return(PasswordVerificationResult.Failed);
}
var isValid = LegacyPasswordSecurity.VerifyPassword(
Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName,
providedPassword,
hashedPassword);
return(isValid ? PasswordVerificationResult.SuccessRehashNeeded : PasswordVerificationResult.Failed);
}
public BackOfficePasswordHasher(LegacyPasswordSecurity passwordSecurity, IJsonSerializer jsonSerializer)
: base(passwordSecurity, jsonSerializer)
{
}
public UmbracoPasswordHasher(LegacyPasswordSecurity legacyPasswordSecurity, IJsonSerializer jsonSerializer)
{
LegacyPasswordSecurity =
legacyPasswordSecurity ?? throw new ArgumentNullException(nameof(legacyPasswordSecurity));
_jsonSerializer = jsonSerializer ?? throw new ArgumentNullException(nameof(jsonSerializer));
}
