jellyfin · Bond-009 · Mar 7, 2019 · Jan 31, 2019 · Jan 31, 2019 · Feb 12, 2019
diff --git a/.gitignore b/.gitignore
@@ -264,3 +264,4 @@ deployment/**/pkg-dist-tmp/
 deployment/collect-dist/
 
 jellyfin_version.ini
+MediaBrowser.WebDashboard/jellyfin-web
diff --git a/Emby.Server.Implementations/Cryptography/CryptographyProvider.cs b/Emby.Server.Implementations/Cryptography/CryptographyProvider.cs
@@ -1,40 +1,131 @@
-using System;
-using System.IO;
-using System.Security.Cryptography;
-using System.Text;
-using MediaBrowser.Model.Cryptography;
-
-namespace Emby.Server.Implementations.Cryptography
-{
-    public class CryptographyProvider : ICryptoProvider
-    {
-        public Guid GetMD5(string str)
-        {
-            return new Guid(ComputeMD5(Encoding.Unicode.GetBytes(str)));
-        }
-
-        public byte[] ComputeSHA1(byte[] bytes)
-        {
-            using (var provider = SHA1.Create())
-            {
-                return provider.ComputeHash(bytes);
-            }
-        }
-
-        public byte[] ComputeMD5(Stream str)
-        {
-            using (var provider = MD5.Create())
-            {
-                return provider.ComputeHash(str);
-            }
-        }
-
-        public byte[] ComputeMD5(byte[] bytes)
-        {
-            using (var provider = MD5.Create())
-            {
-                return provider.ComputeHash(bytes);
-            }
-        }
-    }
-}
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Security.Cryptography;
+using System.Text;
+using MediaBrowser.Model.Cryptography;
+
+namespace Emby.Server.Implementations.Cryptography
+{
+    public class CryptographyProvider : ICryptoProvider
+    {
+        private List<string> SupportedHashMethods = new List<string>();
+        public string DefaultHashMethod => "SHA256";
+        private RandomNumberGenerator rng;
+        private int defaultiterations = 1000;
+        public CryptographyProvider()
+        {
+            //Currently supported hash methods from https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.cryptoconfig?view=netcore-2.1
+            //there might be a better way to autogenerate this list as dotnet updates, but I couldn't find one
+            SupportedHashMethods = new List<string>
+            {
+               "MD5"
+                ,"System.Security.Cryptography.MD5"
+                ,"SHA"
+                ,"SHA1"
+                ,"System.Security.Cryptography.SHA1"
+                ,"SHA256"
+                ,"SHA-256"
+                ,"System.Security.Cryptography.SHA256"
+                ,"SHA384"
+                ,"SHA-384"
+                ,"System.Security.Cryptography.SHA384"
+                ,"SHA512"
+                ,"SHA-512"
+                ,"System.Security.Cryptography.SHA512"
+            };
+            rng = RandomNumberGenerator.Create();
+        }
+
+        public Guid GetMD5(string str)
+        {
+            return new Guid(ComputeMD5(Encoding.Unicode.GetBytes(str)));
+        }
+
+        public byte[] ComputeSHA1(byte[] bytes)
+        {
+            using (var provider = SHA1.Create())
+            {
+                return provider.ComputeHash(bytes);
+            }
+        }
+
+        public byte[] ComputeMD5(Stream str)
+        {
+            using (var provider = MD5.Create())
+            {
+                return provider.ComputeHash(str);
+            }
+        }
+
+        public byte[] ComputeMD5(byte[] bytes)
+        {
+            using (var provider = MD5.Create())
+            {
+                return provider.ComputeHash(bytes);
+            }
+        }
+
+        public IEnumerable<string> GetSupportedHashMethods()
+        {
+            return SupportedHashMethods;
+        }
+
+        private byte[] PBKDF2(string method, byte[] bytes, byte[] salt)
+        {
+            using (var r = new Rfc2898DeriveBytes(bytes, salt, defaultiterations, new HashAlgorithmName(method)))
+            {
+                return r.GetBytes(32);
+            }
+        }
+
+        public byte[] ComputeHash(string HashMethod, byte[] bytes)
+        {
+            return ComputeHash(HashMethod, bytes, new byte[0]);
+        }
+
+        public byte[] ComputeHashWithDefaultMethod(byte[] bytes)
+        {
+            return ComputeHash(DefaultHashMethod, bytes);
+        }
+
+        public byte[] ComputeHash(string HashMethod, byte[] bytes, byte[] salt)
+        {
+            if (SupportedHashMethods.Contains(HashMethod))
+            {
+                if (salt.Length == 0)
+                {
+                    using (var h = HashAlgorithm.Create(HashMethod))
+                    {
+                        return h.ComputeHash(bytes);
+                    }
+                }
+                else
+                {
+                    return PBKDF2(HashMethod, bytes, salt);
+                }
+            }
+            else
+            {
+                throw new CryptographicException(String.Format("Requested hash method is not supported: {0}", HashMethod));
+            }
+        }
+
+        public byte[] ComputeHashWithDefaultMethod(byte[] bytes, byte[] salt)
+        {
+            return PBKDF2(DefaultHashMethod, bytes, salt);
+        }
+
+        public byte[] ComputeHash(PasswordHash hash)
+        {
+            return ComputeHash(hash.Id, hash.HashBytes, hash.SaltBytes);
+        }
+
+        public byte[] GenerateSalt()
+        {
+            byte[] salt = new byte[8];
+            rng.GetBytes(salt);
+            return salt;
+        }
+    }
+}
diff --git a/Emby.Server.Implementations/Emby.Server.Implementations.csproj b/Emby.Server.Implementations/Emby.Server.Implementations.csproj
@@ -34,7 +34,7 @@
   </ItemGroup>
 
   <PropertyGroup>
-    <TargetFramework>netstandard2.0</TargetFramework>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
   </PropertyGroup>
 

diff --git a/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs b/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Linq;
 using System.Text;
 using System.Threading.Tasks;
 using MediaBrowser.Controller.Authentication;
@@ -19,31 +20,110 @@ public DefaultAuthenticationProvider(ICryptoProvider crypto)
 
         public bool IsEnabled => true;
 
+
+        //This is dumb and an artifact of the backwards way auth providers were designed.
+        //This version of authenticate was never meant to be called, but needs to be here for interface compat
+        //Only the providers that don't provide local user support use this
         public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
         {
             throw new NotImplementedException();
         }
 
-        public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
-        {
-            if (resolvedUser == null)
-            {
-                throw new Exception("Invalid username or password");
-            }
-
-            var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
 
-            if (!success)
-            {
-                throw new Exception("Invalid username or password");
-            }
+        //This is the verson that we need to use for local users. Because reasons.
+        public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
+        {
+            ConvertPasswordFormat(resolvedUser);
+            byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
+            bool success = false;
+            if (resolvedUser == null)
+            {
+                success = false;
+                throw new Exception("Invalid username or password");
+            }
+            if (!resolvedUser.Password.Contains("$"))
+            {
+                ConvertPasswordFormat(resolvedUser);
+            }
+            PasswordHash ReadyHash = new PasswordHash(resolvedUser.Password);
+            byte[] CalculatedHash;
+            string CalculatedHashString;
+            if (_cryptographyProvider.GetSupportedHashMethods().Any(i => i == ReadyHash.Id))
+            {
+                if (String.IsNullOrEmpty(ReadyHash.Salt))
+                {
+                    CalculatedHash = _cryptographyProvider.ComputeHash(ReadyHash.Id, passwordbytes);
+                    CalculatedHashString = BitConverter.ToString(CalculatedHash).Replace("-", string.Empty);
+                }
+                else
+                {
+                    CalculatedHash = _cryptographyProvider.ComputeHash(ReadyHash.Id, passwordbytes, ReadyHash.SaltBytes);
+                    CalculatedHashString = BitConverter.ToString(CalculatedHash).Replace("-", string.Empty);
+                }
+                if (CalculatedHashString == ReadyHash.Hash)
+                {
+                    success = true;
+                    //throw new Exception("Invalid username or password");
+                }
+            }
+            else
+            {
+                success = false;
+                throw new Exception(String.Format("Requested crypto method not available in provider: {0}", ReadyHash.Id));
+            }
+
+            //var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
+
+            if (!success)
+            {
+                throw new Exception("Invalid username or password");
+            }
+
+            return Task.FromResult(new ProviderAuthenticationResult
+            {
+                Username = username
+            });
+        }
 
-            return Task.FromResult(new ProviderAuthenticationResult
-            {
-                Username = username
-            });
+        //This allows us to move passwords forward to the newformat without breaking. They are still insecure, unsalted, and dumb before a password change
+        //but at least they are in the new format.
+        private void ConvertPasswordFormat(User user)
+        {
+            if (!string.IsNullOrEmpty(user.Password))
+            {
+                if (!user.Password.Contains("$"))
+                {
+                    string hash = user.Password;
+                    user.Password = String.Format("$SHA1${0}", hash);
+                }
+                if (user.EasyPassword != null && !user.EasyPassword.Contains("$"))
+                {
+                    string hash = user.EasyPassword;
+                    user.EasyPassword = String.Format("$SHA1${0}", hash);
+                }
+            }
         }
 
+        // OLD VERSION //public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
+        // OLD VERSION //{
+        // OLD VERSION //    if (resolvedUser == null)
+        // OLD VERSION //    {
+        // OLD VERSION //        throw new Exception("Invalid username or password");
+        // OLD VERSION //    }
+        // OLD VERSION //
+        // OLD VERSION //    var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
+        // OLD VERSION //
+        // OLD VERSION //    if (!success)
+        // OLD VERSION //    {
+        // OLD VERSION //        throw new Exception("Invalid username or password");
+        // OLD VERSION //    }
+        // OLD VERSION //
+        // OLD VERSION //    return Task.FromResult(new ProviderAuthenticationResult
+        // OLD VERSION //    {
+        // OLD VERSION //        Username = username
+        // OLD VERSION //    });
+        // OLD VERSION //}
+
         public Task<bool> HasPassword(User user)
         {
             var hasConfiguredPassword = !IsPasswordEmpty(user, GetPasswordHash(user));
@@ -57,19 +137,26 @@ private bool IsPasswordEmpty(User user, string passwordHash)
 
         public Task ChangePassword(User user, string newPassword)
         {
-            string newPasswordHash = null;
-
-            if (newPassword != null)
+            //string newPasswordHash = null;
+            ConvertPasswordFormat(user);
+            PasswordHash passwordHash = new PasswordHash(user.Password);
+            if(passwordHash.Id == "SHA1" && string.IsNullOrEmpty(passwordHash.Salt))
             {
-                newPasswordHash = GetHashedString(user, newPassword);
+                passwordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
+                passwordHash.Salt = BitConverter.ToString(passwordHash.SaltBytes).Replace("-","");
+                passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
+                passwordHash.Hash = GetHashedStringChangeAuth(newPassword, passwordHash);
+            }else if (newPassword != null)
+            {
+                passwordHash.Hash = GetHashedString(user, newPassword);
             }
 
-            if (string.IsNullOrWhiteSpace(newPasswordHash))
+            if (string.IsNullOrWhiteSpace(passwordHash.Hash))
             {
-                throw new ArgumentNullException(nameof(newPasswordHash));
+                throw new ArgumentNullException(nameof(passwordHash.Hash));
             }
 
-            user.Password = newPasswordHash;
+            user.Password = passwordHash.ToString();
 
             return Task.CompletedTask;
         }
@@ -86,19 +173,39 @@ public string GetEmptyHashedString(User user)
             return GetHashedString(user, string.Empty);
         }
 
+        public string GetHashedStringChangeAuth(string NewPassword, PasswordHash passwordHash)
+        {
+            return BitConverter.ToString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(NewPassword), passwordHash.SaltBytes)).Replace("-", string.Empty);
+        }
+
         /// <summary>
         /// Gets the hashed string.
         /// </summary>
-        public string GetHashedString(User user, string str)
-        {
-            var salt = user.Salt;
-            if (salt != null)
+        public string GetHashedString(User user, string str)
+        {
+            //This is legacy. Deprecated in the auth method.
+            //return BitConverter.ToString(_cryptoProvider2.ComputeSHA1(Encoding.UTF8.GetBytes(str))).Replace("-", string.Empty);
+            PasswordHash passwordHash;
+            if (String.IsNullOrEmpty(user.Password))
+            {
+                passwordHash = new PasswordHash(_cryptographyProvider);
+            }
+            else
             {
-                // return BCrypt.HashPassword(str, salt);
+                ConvertPasswordFormat(user);
+                passwordHash = new PasswordHash(user.Password);
+            }
+            if (passwordHash.SaltBytes != null)
+            {
+                return BitConverter.ToString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str), passwordHash.SaltBytes)).Replace("-",string.Empty);
+            }
+            else
+            {
+                return BitConverter.ToString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str))).Replace("-", string.Empty);
+                //throw new Exception("User does not have a hash, this should not be possible");
             }
 
-            // legacy
-            return BitConverter.ToString(_cryptographyProvider.ComputeSHA1(Encoding.UTF8.GetBytes(str))).Replace("-", string.Empty);
+
         }
     }
 }