From 31ea03a7cc23da731dfd95cd204468df5c3a5e60 Mon Sep 17 00:00:00 2001 From: Shannon Date: Wed, 2 Aug 2017 17:06:57 +1000 Subject: [PATCH] adds notes --- .../Security/MembershipProviderBase.cs | 33 +++++++++++-------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/src/Umbraco.Core/Security/MembershipProviderBase.cs b/src/Umbraco.Core/Security/MembershipProviderBase.cs index 982ced30c7..b911245be4 100644 --- a/src/Umbraco.Core/Security/MembershipProviderBase.cs +++ b/src/Umbraco.Core/Security/MembershipProviderBase.cs @@ -674,7 +674,7 @@ namespace Umbraco.Core.Security if (PasswordFormat == MembershipPasswordFormat.Clear) return pass; var bytes = Encoding.Unicode.GetBytes(pass); - var numArray1 = Convert.FromBase64String(salt); + var saltBytes = Convert.FromBase64String(salt); byte[] inArray; if (PasswordFormat == MembershipPasswordFormat.Hashed) @@ -684,22 +684,27 @@ namespace Umbraco.Core.Security if (algorithm != null) { var keyedHashAlgorithm = algorithm; - if (keyedHashAlgorithm.Key.Length == numArray1.Length) - keyedHashAlgorithm.Key = numArray1; - else if (keyedHashAlgorithm.Key.Length < numArray1.Length) - { + if (keyedHashAlgorithm.Key.Length == saltBytes.Length) + { + //if the salt bytes is the required key length for the algorithm, use it as-is + keyedHashAlgorithm.Key = saltBytes; + } + else if (keyedHashAlgorithm.Key.Length < saltBytes.Length) + { + //if the salt bytes is too long for the required key length for the algorithm, reduce it var numArray2 = new byte[keyedHashAlgorithm.Key.Length]; - Buffer.BlockCopy(numArray1, 0, numArray2, 0, numArray2.Length); + Buffer.BlockCopy(saltBytes, 0, numArray2, 0, numArray2.Length); keyedHashAlgorithm.Key = numArray2; } else { + //if the salt bytes is too long for the required key length for the algorithm, extend it var numArray2 = new byte[keyedHashAlgorithm.Key.Length]; var dstOffset = 0; while (dstOffset < numArray2.Length) { - var count = Math.Min(numArray1.Length, numArray2.Length - dstOffset); - Buffer.BlockCopy(numArray1, 0, numArray2, dstOffset, count); + var count = Math.Min(saltBytes.Length, numArray2.Length - dstOffset); + Buffer.BlockCopy(saltBytes, 0, numArray2, dstOffset, count); dstOffset += count; } keyedHashAlgorithm.Key = numArray2; @@ -708,9 +713,9 @@ namespace Umbraco.Core.Security } else { - var buffer = new byte[numArray1.Length + bytes.Length]; - Buffer.BlockCopy(numArray1, 0, buffer, 0, numArray1.Length); - Buffer.BlockCopy(bytes, 0, buffer, numArray1.Length, bytes.Length); + var buffer = new byte[saltBytes.Length + bytes.Length]; + Buffer.BlockCopy(saltBytes, 0, buffer, 0, saltBytes.Length); + Buffer.BlockCopy(bytes, 0, buffer, saltBytes.Length, bytes.Length); inArray = hashAlgorithm.ComputeHash(buffer); } } @@ -718,9 +723,9 @@ namespace Umbraco.Core.Security { //this code is copied from the sql membership provider - pretty sure this could be nicely re-written to completely // ignore the salt stuff since we are not salting the password when encrypting. - var password = new byte[numArray1.Length + bytes.Length]; - Buffer.BlockCopy(numArray1, 0, password, 0, numArray1.Length); - Buffer.BlockCopy(bytes, 0, password, numArray1.Length, bytes.Length); + var password = new byte[saltBytes.Length + bytes.Length]; + Buffer.BlockCopy(saltBytes, 0, password, 0, saltBytes.Length); + Buffer.BlockCopy(bytes, 0, password, saltBytes.Length, bytes.Length); inArray = EncryptPassword(password, MembershipPasswordCompatibilityMode.Framework40); } return Convert.ToBase64String(inArray);