From 17f4d7faad34d7d140ed45e62c562e11ce0a311c Mon Sep 17 00:00:00 2001 From: ja Date: Fri, 3 Dec 2021 11:34:50 +0100 Subject: [PATCH] Implementierung einer besseren Radom und rechenintensiveren Hash-Aart --- App_Code/VERAG_VARIABLES.vb | 42 +++++-- Web.config | 6 +- login/Change_PW.aspx | 2 +- login/Change_PW.aspx.vb | 212 +++++++++++------------------------- login/ForgotPW.aspx.vb | 40 ++----- login/login_FLEX.aspx | 2 +- login/login_FLEX.aspx.vb | 103 +++++++----------- packages.config | 2 + 8 files changed, 154 insertions(+), 255 deletions(-) diff --git a/App_Code/VERAG_VARIABLES.vb b/App_Code/VERAG_VARIABLES.vb index 2577beb..93928a7 100644 --- a/App_Code/VERAG_VARIABLES.vb +++ b/App_Code/VERAG_VARIABLES.vb @@ -1,8 +1,12 @@ Imports System.Security.Cryptography Imports Microsoft.VisualBasic - +Imports Konscious.Security.Cryptography Public Class VERAG_VARIABLES Public Shared errornumb As Integer = 0 + Shared Function getiterationnumber() As Integer + Return RandomInteger(Math.Pow(2, 2), Math.Pow(2, 8)) + End Function + Shared Sub initerrorcount() errornumb = 0 End Sub @@ -15,20 +19,38 @@ Public Class VERAG_VARIABLES Shared Function getErrorcodeindez(Errorcode As String) As String Return VERAG_PROG_ALLGEMEIN.cCryptography3.Decrypt(Errorcode) End Function - Public Shared Function GenerateSalt(ByVal nSalt As Integer) As String + Public Shared Function GenerateSalt(ByVal nSalt As Integer) As Byte() Dim saltBytes = New Byte(nSalt) {} - Using provider = New RNGCryptoServiceProvider() provider.GetNonZeroBytes(saltBytes) End Using - - Return Convert.ToBase64String(saltBytes) + Return saltBytes + 'Convert.ToBase64String(saltBytes) + End Function + Public Shared Async Function HashPassword(ByVal password As String, ByVal salt As Byte(), ByVal nIterations As Integer, ByVal nHash As Integer) As Threading.Tasks.Task(Of Byte()) + Dim Argon As Argon2id = New Argon2id(Encoding.UTF8.GetBytes(password)) + Argon.Salt = salt + Argon.DegreeOfParallelism = 6 + Argon.Iterations = nIterations + Argon.MemorySize = 4096 + Return Await Argon.GetBytesAsync(nHash) + 'Return Convert.ToBase64String(Argon.GetBytes(nHash)) + Return Argon.GetBytes(nHash) + 'Dim saltBytes = Convert.FromBase64String(salt) + 'Using rfc2898DeriveBytes = New Rfc2898DeriveBytes(password, saltBytes, nIterations) + 'End Using End Function - Public Shared Function HashPassword(ByVal password As String, ByVal salt As String, ByVal nIterations As Integer, ByVal nHash As Integer) As String - Dim saltBytes = Convert.FromBase64String(salt) - Using rfc2898DeriveBytes = New Rfc2898DeriveBytes(password, saltBytes, nIterations) - Return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(nHash)) - End Using + Public Shared Async Function Verifyhash(ByVal passw As String, ByVal salt As Byte(), ByVal hash As Byte(), ByVal nIterations As Integer, ByVal nHash As Integer) As Threading.Tasks.Task(Of Boolean) + Dim newHash As Byte() = Await HashPassword(passw, salt, nIterations, nHash) + Return hash.SequenceEqual(newHash) + End Function + + Public Shared Function RandomInteger(ByVal min As Integer, ByVal _ + max As Integer) As Integer + Dim rand As New RNGCryptoServiceProvider() + Dim one_byte() As Byte = {0} + rand.GetBytes(one_byte) + Return min + (max - min) * (one_byte(0) / 255) End Function End Class diff --git a/Web.config b/Web.config index 0932cba..749c6a4 100644 --- a/Web.config +++ b/Web.config @@ -26,11 +26,11 @@ - - + + - + diff --git a/login/Change_PW.aspx b/login/Change_PW.aspx index bcfcad2..d433123 100644 --- a/login/Change_PW.aspx +++ b/login/Change_PW.aspx @@ -1,4 +1,4 @@ -<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Change_PW.aspx.vb" Debug="true" Inherits="login_Change_PW" %> +<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Change_PW.aspx.vb" Debug="true" Inherits="login_Change_PW" Async="true" %> diff --git a/login/Change_PW.aspx.vb b/login/Change_PW.aspx.vb index ee6132e..92f3ae8 100644 --- a/login/Change_PW.aspx.vb +++ b/login/Change_PW.aspx.vb @@ -1,10 +1,13 @@  Imports System.Data.SqlClient Imports System.Security.Cryptography +Imports System.Threading.Tasks Partial Class login_Change_PW Inherits System.Web.UI.Page - + Dim intzahl As Integer = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 10)) + Dim intzahliterats As Integer = VERAG_VARIABLES.getiterationnumber + Dim salt As Byte() = VERAG_VARIABLES.GenerateSalt(intzahl) Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load Dim url = Request.ServerVariables("URL") Session.Add("urltochangepw", url) @@ -124,7 +127,7 @@ Partial Class login_Change_PW MsgBox("") End Sub - Protected Sub btn_submitpw_Click(sender As Object, e As EventArgs) + Protected Async Sub btn_submitpw_Click(sender As Object, e As EventArgs) Dim tempstr As String = "" Dim UsernameDB As String = String.Empty Dim pwDB As String = String.Empty @@ -235,10 +238,10 @@ Partial Class login_Change_PW ConnectionString = "Server=DEVELOPER.verag.ost.dmn\DEVSQL;Database=VERAG_HOMEPAGE;Uid=AppUser;Pwd=yp/THDd?xM+pZ$;" 'ConnectionString = "Server=db593295684.db.1and1.com;Database=db593295684;Uid=dbo593295684;Pwd=atilla#2;" End If - Dim isPasswhash As String = gensaltPassw(usrname, tempstr, Email, Session.IsNewSession) - Dim isPasswDBhash As String = gensaltPassw(UsernameDB, pwDB, EmailDB, Session.IsNewSession) + Dim isPasswhash As Byte() = Await gensaltPasswAsync(usrname, tempstr, salt, intzahliterats, intzahl, Email, Session.IsNewSession) + Dim isPasswDBhash As Byte() = Await gensaltPasswAsync(UsernameDB, pwDB, salt, intzahliterats, intzahl, EmailDB, Session.IsNewSession) If regexval_txt_Pw.IsValid = True Then - If String.Equals(isPasswhash, isPasswDBhash) = False Then + If Await VERAG_VARIABLES.Verifyhash(tempstr, salt, isPasswhash, intzahliterats, intzahl) = True Then Using con As New SqlConnection(ConnectionString) Using cmd As New SqlCommand("UPDATE [VERAG_HOMEPAGE].[dbo].[Users] SET [Password]=@Password WHERE [Username]=@Username AND [UserId]=@UserId") ' cmd.CommandType = CommandType.StoredProcedure @@ -351,7 +354,7 @@ Partial Class login_Change_PW End If End Sub - Protected Sub btn_submitpw_M_Click(sender As Object, e As EventArgs) + Protected Async Sub btn_submitpw_M_Click(sender As Object, e As EventArgs) Dim tempstr As String = "" Dim pwDB As String = String.Empty Dim EmailDB As String = String.Empty @@ -406,28 +409,28 @@ Partial Class login_Change_PW If dr.HasRows Then dr.Read() tempstr = txt_Pw_M.Text - EmailDB = dr("Email").ToString - pwDB = dr("Password").ToString - usrnmDB = dr("Username").ToString - TheUsrIdDB = dr("UserId").ToString - customerIDDB = dr("KundenNr").ToString - If String.Equals(usrname, usrnmDB, StringComparison.CurrentCulture) = True Then - isusernameright = True - End If - If String.Equals(Email, EmailDB, StringComparison.CurrentCulture) = True Then - isemailright = True - End If - If String.Equals(txt_Pw_M.Text, pwDB, StringComparison.CurrentCulture) = False Then - ispwrEqual = False - End If - If String.Equals(UsrID, TheUsrIdDB, StringComparison.CurrentCulture) = True Then - isUSrIDright = True - End If - If String.Equals(THEUsrID, customerIDDB, StringComparison.CurrentCulture) = True Then - isctmrIDright = True - End If + EmailDB = dr("Email").ToString + pwDB = dr("Password").ToString + usrnmDB = dr("Username").ToString + TheUsrIdDB = dr("UserId").ToString + customerIDDB = dr("KundenNr").ToString + If String.Equals(usrname, usrnmDB, StringComparison.CurrentCulture) = True Then + isusernameright = True + End If + If String.Equals(Email, EmailDB, StringComparison.CurrentCulture) = True Then + isemailright = True + End If + If String.Equals(txt_Pw_M.Text, pwDB, StringComparison.CurrentCulture) = False Then + ispwrEqual = False + End If + If String.Equals(UsrID, TheUsrIdDB, StringComparison.CurrentCulture) = True Then + isUSrIDright = True + End If + If String.Equals(THEUsrID, customerIDDB, StringComparison.CurrentCulture) = True Then + isctmrIDright = True + End If - If String.Compare(usrname, dr("Username")) = True Then + If String.Compare(usrname, dr("Username")) = True Then isusernameright = True End If End If @@ -454,10 +457,10 @@ Partial Class login_Change_PW End If Using con As New SqlConnection(ConnectionString) - Dim isPasswhash As String = gensaltPassw(usrname, tempstr, Email, Session.IsNewSession) - Dim isPasswDBhash As String = gensaltPassw(usrnmDB, pwDB, EmailDB, Session.IsNewSession) + Dim isPasswhash As Byte() = Await gensaltPasswAsync(usrname, tempstr, salt, intzahliterats, intzahl, Email, Session.IsNewSession) + Dim isPasswDBhash As Byte() = Await gensaltPasswAsync(usrnmDB, pwDB, salt, intzahliterats, intzahl, EmailDB, Session.IsNewSession) If regexval_txt_Pw.IsValid = True Then - If String.Equals(isPasswhash, isPasswDBhash, StringComparison.CurrentCulture) = False Then + If Await VERAG_VARIABLES.Verifyhash(tempstr, salt, isPasswhash, intzahliterats, intzahl) = True AndAlso Await VERAG_VARIABLES.Verifyhash(pwDB, salt, isPasswDBhash, intzahliterats, intzahl) = True Then Using cmd As New SqlCommand("UPDATE [VERAG_HOMEPAGE].[dbo].[Users] SET Password=@Password WHERE Username=@Username AND UserId=@UserId") ' cmd.CommandType = CommandType.StoredProcedure cmd.Parameters.AddWithValue("@Username", usrname) @@ -522,79 +525,29 @@ Partial Class login_Change_PW End If End If End Sub - Function gensaltPassw(username As String, password As String, email As String, isnewSession As Boolean) As String - Dim intzahl = RandomInteger(Math.Pow(2, 8), Math.Pow(2, 12)) + + Async Function gensaltPasswAsync(username As String, password As String, salt As Byte(), intzahliterats As Integer, intzahl As Integer, email As String, isnewSession As Boolean) As Task(Of Byte()) If isnewSession = False Then - Dim token As String - If String.IsNullOrEmpty(username) = False AndAlso String.IsNullOrEmpty(email) = False Then - If String.IsNullOrEmpty(password) = False Then - Try - - Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl) - Dim tok As String = password - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 1491, intzahl)) - salt = String.Empty - tok = String.Empty - Return token - Catch Ex As Exception - - 'Dim Msg, Style, Title As String - 'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given." - 'Style = vbRetry + vbExclamation + vbDefaultButton1 - 'Title = "Error05: Token-Generierung" - 'MsgBox(Msg, Style, Title) - 'If MsgBox(Msg, Style, Title).Retry Then - 'genToken(username, password, email) - Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl) - Dim tok As String = password - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 901, intzahl)) - salt = String.Empty - tok = String.Empty - Return token - End Try - Else - Return String.Empty - End If - End If - Return String.Empty - Else - Return "Error in Session ID. It has changed. Please check admin!" + Dim token As Byte() + 'Dim tok As Byte = Convert.ToBase64String(time.Concat(Key).ToArray()) + Dim tok As String = password + token = Await VERAG_VARIABLES.HashPassword(password, salt, intzahliterats, intzahl) + Return token End If End Function - Function gennewsaltToken(username As String, password As String, email As String, CustomerID As String, isnewSession As Boolean, theUserID As String) As String + Async Function gennewsaltToken(username As String, password As String, email As String, salt As Byte(), CustomerID As String, intzahlits As Integer, intzahl As Integer, isnewSession As Boolean, theUserID As String) As Task(Of String) If isnewSession = False Then Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary()) Dim Key() As Byte = Guid.NewGuid().ToByteArray() - Dim token As String + Dim token As Byte() - Dim intzahl = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14)) - Dim intzahl2 = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14)) - Dim Rand As Random = New Random If String.IsNullOrEmpty(theUserID) = False Then - Try - Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl) - Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray()) - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl)) - salt = String.Empty - tok = String.Empty - Return token - Catch Ex As Exception - 'Dim Msg, Style, Title As String - 'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given." - 'Style = vbRetry + vbExclamation + vbDefaultButton1 - 'Title = "Error05: Token-Generierung" - 'MsgBox(Msg, Style, Title) - 'If MsgBox(Msg, Style, Title).Retry Then - 'genToken(username, password, email) - Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl2) - Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray()) - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl2)) - salt = String.Empty - tok = String.Empty - Return token - End Try + Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray()) + token = Await VERAG_VARIABLES.HashPassword(tok, salt, intzahlits, intzahl) + + Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token)) Else Return String.Empty End If @@ -603,72 +556,33 @@ Partial Class login_Change_PW End If End Function - Function gensaltToken(STrings As String) As String + Async Function gensaltTokenAsync(STrings As String) As Task(Of String) If String.IsNullOrEmpty(STrings) = False Then - Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary()) - Dim Key() As Byte = Guid.NewGuid().ToByteArray() - Dim token As String + Dim token As Byte() - Dim intzahl = RandomInteger(Math.Pow(2, 5), Math.Pow(2, 7)) - Dim Rand As Random = New Random + Dim salt As Byte() = VERAG_VARIABLES.GenerateSalt(intzahl) + Dim tok As String = STrings + token = Await VERAG_VARIABLES.HashPassword(tok, salt, intzahliterats, intzahl) - Try - Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl) - Dim tok As String = VERAG_PROG_ALLGEMEIN.cCryptography3.Decrypt(STrings) - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl)) - salt = String.Empty - tok = String.Empty - Return token - Catch Ex As Exception - Dim intzahl2 = RandomInteger(Math.Pow(2, 5), Math.Pow(2, 7)) - 'Dim Msg, Style, Title As String - 'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given." - 'Style = vbRetry + vbExclamation + vbDefaultButton1 - 'Title = "Error05: Token-Generierung" - 'MsgBox(Msg, Style, Title) - 'If MsgBox(Msg, Style, Title).Retry Then - 'genToken(username, password, email) - Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl2) - Dim tok As String = VERAG_PROG_ALLGEMEIN.cCryptography3.Decrypt(STrings) - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl2)) - salt = String.Empty - tok = String.Empty - Return token + Return Convert.ToBase64String(token) + + Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token)) - End Try Else - Dim token As String + Dim token As Byte() + Dim intzahliterats = RandomInteger(Math.Pow(2, 10), Math.Pow(2, 12)) + Dim intzahl = RandomInteger(Math.Pow(2, 5), Math.Pow(2, 7)) - Dim intzahl = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14)) - Dim Rand As Random = New Random - - Try - Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl) + Dim salt As Byte() = VERAG_VARIABLES.GenerateSalt(intzahl) Dim tok As String = STrings - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl)) - salt = String.Empty - tok = String.Empty - Return token - Catch Ex As Exception - Dim intzahl2 = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14)) - 'Dim Msg, Style, Title As String - 'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given." - 'Style = vbRetry + vbExclamation + vbDefaultButton1 - 'Title = "Error05: Token-Generierung" - 'MsgBox(Msg, Style, Title) - 'If MsgBox(Msg, Style, Title).Retry Then - 'genToken(username, password, email) - Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl2) - Dim tok As String = STrings - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl2)) - salt = String.Empty - tok = String.Empty - Return token + token = Await VERAG_VARIABLES.HashPassword(tok, salt, intzahliterats, intzahl) - End Try + Return Convert.ToBase64String(token) + + Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token)) End If End Function - Public Function RandomInteger(ByVal min As Integer, ByVal _ + Shared Function RandomInteger(ByVal min As Integer, ByVal _ max As Integer) As Integer Dim rand As New RNGCryptoServiceProvider() Dim one_byte() As Byte = {0} diff --git a/login/ForgotPW.aspx.vb b/login/ForgotPW.aspx.vb index e7d5ca5..00b2f41 100644 --- a/login/ForgotPW.aspx.vb +++ b/login/ForgotPW.aspx.vb @@ -605,8 +605,8 @@ Partial Class ForgotPW Async Function Findtokenhashsalt(username As String, password As String, email As String, customerID As String, isusernameright As Boolean, isuserIDright As Boolean, isuserEmailright As Boolean, isnewsess As Boolean, UserID As String) As Task(Of String) Dim t As Task(Of String) - t = Task.Run(Function() As String - Return gensaltToken(username, password, email, customerID, isusernameright, isuserIDright, isuserEmailright, isnewsess, UserID) + t = Task.Run(Async Function() As Task(Of String) + Return Await gensaltToken(username, password, email, customerID, isusernameright, isuserIDright, isuserEmailright, isnewsess, UserID) End Function) Return Await t End Function @@ -755,39 +755,24 @@ Partial Class ForgotPW Return min + (max - min) * (one_byte(0) / 255) End Function - Function gensaltToken(username As String, password As String, email As String, CustomerID As String, isusrnmright As Boolean, iscstmIDright As Boolean, isemailright As Boolean, isnewSession As Boolean, theUserID As String) As String + Async Function gensaltToken(username As String, password As String, email As String, CustomerID As String, isusrnmright As Boolean, iscstmIDright As Boolean, isemailright As Boolean, isnewSession As Boolean, theUserID As String) As Task(Of String) If isnewSession = False Then Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary()) Dim Key() As Byte = Guid.NewGuid().ToByteArray() - Dim token As String + Dim token As Byte() Dim intzahl = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14)) - Dim intzahl2 = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14)) + Dim intzahl2 = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 10)) + Dim intzahliterats = RandomInteger(Math.Pow(2, 5), Math.Pow(2, 10)) Dim Rand As Random = New Random If isusrnmright = True And iscstmIDright = True And isemailright = True AndAlso String.IsNullOrEmpty(theUserID) = False Then - Try - Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl) - Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray()) - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl)) - salt = String.Empty - tok = String.Empty - Return token - Catch Ex As Exception - 'Dim Msg, Style, Title As String - 'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given." - 'Style = vbRetry + vbExclamation + vbDefaultButton1 - 'Title = "Error05: Token-Generierung" - 'MsgBox(Msg, Style, Title) - 'If MsgBox(Msg, Style, Title).Retry Then - 'genToken(username, password, email) - Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl2) - Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray()) - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl2)) - salt = String.Empty - tok = String.Empty - Return token - End Try + Dim salt As Byte() = VERAG_VARIABLES.GenerateSalt(intzahl) + 'Dim tok As Byte = Convert.ToBase64String(time.Concat(Key).ToArray()) + Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray()) + token = Await VERAG_VARIABLES.HashPassword(tok, salt, intzahliterats, intzahl) + + Return Convert.ToBase64String(token) Else Return String.Empty End If @@ -835,7 +820,6 @@ Partial Class ForgotPW End If End Function - Function RandomString(r As Random, max As Integer) As String Dim s As String = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!§$%&/?=" Dim sb As New StringBuilder diff --git a/login/login_FLEX.aspx b/login/login_FLEX.aspx index 54ece3a..b3dc337 100644 --- a/login/login_FLEX.aspx +++ b/login/login_FLEX.aspx @@ -1,4 +1,4 @@ -<%@ Page Language="VB" Debug="true" AutoEventWireup="false" CodeFile="login_FLEX.aspx.vb" Inherits="login_FLEX" EnableSessionState="True" %> +<%@ Page Language="VB" Debug="true" AutoEventWireup="false" CodeFile="login_FLEX.aspx.vb" Inherits="login_FLEX" EnableSessionState="True" Async="true" %> diff --git a/login/login_FLEX.aspx.vb b/login/login_FLEX.aspx.vb index f39b1ea..013e831 100644 --- a/login/login_FLEX.aspx.vb +++ b/login/login_FLEX.aspx.vb @@ -1,14 +1,15 @@ Imports System.Data.SqlClient Imports System.Data Imports System.Security.Cryptography - Partial Class login_FLEX Inherits System.Web.UI.Page - - Dim Customer_ID As String = String.Empty - Dim UserNaMe As String = String.Empty - Dim passw As String = String.Empty - Dim USERID As String = String.Empty + Private Customer_ID As String = String.Empty + Private UserNaMe As String = String.Empty + Private passw As String = String.Empty + Private USERID As String = String.Empty + Private salt As Byte() + Private intzahl As Integer + Private intzahliterats As Integer Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load VERAG_VARIABLES.initerrorcount() If Page.IsPostBack = True Then @@ -16,8 +17,11 @@ Partial Class login_FLEX Else Page.MaintainScrollPositionOnPostBack = False End If + intzahl = VERAG_VARIABLES.RandomInteger(Math.Pow(2, 7), Math.Pow(2, 10)) + intzahliterats = VERAG_VARIABLES.getiterationnumber + salt = VERAG_VARIABLES.GenerateSalt(intzahl) End Sub - Protected Sub ValidateUser(sender As Object, e As EventArgs) + Protected Async Sub ValidateUser(sender As Object, e As EventArgs) ' cDBFunctions.GetNewOpenConnection() Dim ConnectionString = "" @@ -183,16 +187,6 @@ Partial Class login_FLEX dr.Close() con.Close() End Using - Using cmd2 As New SqlCommand("UPDATE [VERAG_HOMEPAGE].[dbo].[Users] SET [LastLoginDate]=@Date WHERE [Username]=@Username AND [KundenNr]=@KundenNr AND Password=@Password") - cmd2.Parameters.AddWithValue("Date", Date.Now.ToString) - cmd2.Parameters.AddWithValue("Username", UserNaMe) - cmd2.Parameters.AddWithValue("KundenNr", Customer_ID) - cmd2.Parameters.AddWithValue("Password", passw) - cmd2.Connection = con - con.Open() - cmd2.ExecuteNonQuery() - con.Close() - End Using End Using If String.IsNullOrEmpty(tb2_M.Text) = False AndAlso String.IsNullOrEmpty(tb2.Text) = True Then @@ -204,7 +198,10 @@ Partial Class login_FLEX 'Dim str = gensaltToken(UserNaMe, passw, Customer_ID, Session.IsNewSession) 'MsgBox(str) 'End If - FormsAuthentication.RedirectFromLoginPage(UserNaMe, True) + Dim hashpw As Byte() = Await VERAG_VARIABLES.HashPassword(passw, salt, intzahliterats, intzahl) + If Await VERAG_VARIABLES.Verifyhash(passw, salt, hashpw, intzahliterats, intzahl) = True Then + FormsAuthentication.RedirectFromLoginPage(UserNaMe, True) + End If End Sub @@ -220,58 +217,38 @@ Partial Class login_FLEX Session.Add("CustomerID", Customer_ID) Session.Add("PW", passw) End Sub - Function gensaltToken(username As String, password As String, CustomerID As String, isnewSession As Boolean) As String + Async Function gensaltToken(username As String, password As String, CustomerID As String, salt As Byte(), intzahliterats As Integer, intzahl As Integer, isnewSession As Boolean) As Threading.Tasks.Task(Of String) If isnewSession = False Then Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary()) Dim Key() As Byte = Guid.NewGuid().ToByteArray() - Dim token As String - Dim MyMin As Integer = 155, MyMax As Integer = 875, My1stRandomNumber As Integer, My2ndRandomNumber As Integer - ' Create a random number generator - Dim Generator As System.Random = New System.Random() - ' Get a random number >= MyMin and <= MyMax - My1stRandomNumber = Generator.Next(MyMin, MyMax + 1) ' Note: Next function returns numbers _less than_ max, so pass in max + 1 to include max as a possible value + Dim token As Byte() - ' Get another random number (don't create a new generator, use the same one) - My2ndRandomNumber = Generator.Next(MyMin, MyMax + 1) - If String.IsNullOrEmpty(username) = False And String.IsNullOrEmpty(passw) = False And String.IsNullOrEmpty(CustomerID) = False Then - Try - Dim salt As String = VERAG_VARIABLES.GenerateSalt(My1stRandomNumber) - Dim passw As String = password - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(passw, salt, 101, My1stRandomNumber)) - Session.Add("Tokensalt", VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(token)) - Session.Add("salt", VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(salt)) - Return token - Catch Ex As Exception - 'Dim Msg, Style, Title As String - 'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given." - 'Style = vbRetry + vbExclamation + vbDefaultButton1 - 'Title = "Error05: Token-Generierung" - 'MsgBox(Msg, Style, Title) - 'If MsgBox(Msg, Style, Title).Retry Then - 'genToken(username, password, email) - Dim salt As String = VERAG_VARIABLES.GenerateSalt(My1stRandomNumber) - Dim passw As String = password - token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(passw, salt, 101, My2ndRandomNumber)) + token = Await VERAG_VARIABLES.HashPassword(Convert.ToBase64String(time.Concat(Key).ToArray()), salt, intzahliterats, intzahl) + Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token)) + 'Dim Msg, Style, Title As String + 'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given." + 'Style = vbRetry + vbExclamation + vbDefaultButton1 + 'Title = "Error05: Token-Generierung" + 'MsgBox(Msg, Style, Title) + 'If MsgBox(Msg, Style, Title).Retry Then + 'genToken(username, password, email) + token = Await VERAG_VARIABLES.HashPassword(Convert.ToBase64String(time.Concat(Key).ToArray()), salt, intzahliterats, intzahl) + Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token)) - 'Else - 'MsgBox("Token-Generation has not been successful." & vbCrLf & "Please try again in five seconds!") - Dim jetzt As DateTime = DateTime.UtcNow - Dim wenn As DateTime = DateTime.UtcNow.AddSeconds(-5) + 'Else + 'MsgBox("Token-Generation has not been successful." & vbCrLf & "Please try again in five seconds!") + Dim jetzt As DateTime = DateTime.UtcNow + Dim wenn As DateTime = DateTime.UtcNow.AddSeconds(-5) + + If jetzt < wenn Then + Return "NotYet" + Else + token = Await VERAG_VARIABLES.HashPassword(Convert.ToBase64String(time.Concat(Key).ToArray()), salt, intzahliterats, intzahl) + Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token)) + 'End If + End If - If jetzt < wenn Then - Return "NotYet" - Else - token = gensaltToken(username, password, CustomerID, Session.IsNewSession) - Return token - 'End If - End If - End Try - Else - Return String.Empty - End If - Else - Return "Error in Session ID. It has changed. Please check admin!" End If End Function End Class \ No newline at end of file diff --git a/packages.config b/packages.config index 2b34a19..79816a5 100644 --- a/packages.config +++ b/packages.config @@ -10,6 +10,8 @@ + +