Änderungen codegenierung und verhashung pw

2021-12-22 13:30:36 +01:00
parent a833f5a7f6
commit 1f4b9a7029
5 changed files with 20 additions and 20 deletions
--- a/App_Code/VERAG_VARIABLES.vb
+++ b/App_Code/VERAG_VARIABLES.vb
@@ -4,7 +4,7 @@ Imports Konscious.Security.Cryptography
 Public Class VERAG_VARIABLES
    Public Shared errornumb As Integer = 0
    Shared Function getiterationnumber() As Integer
-        Return RandomInteger(Math.Pow(2, 4), Math.Pow(2, 10))
+        Return RandomInteger(Math.Pow(2, 5), Math.Pow(2, 10))
    End Function

    Shared Sub initerrorcount()
@@ -35,15 +35,15 @@ Public Class VERAG_VARIABLES
            Argon.Salt = salt
            Argon.DegreeOfParallelism = 24
            Argon.Iterations = nIterations * 2
-            Argon.MemorySize = (((nIterations * 2.98 - (nIterations * 1.23) / 4 * 1.5) / 1.05) + 1 * 290)
+            Argon.MemorySize = (((nIterations * 4.98 - (nIterations * 1.23) / 4 * 1.5) / 1.05) + 1 * 290)

            Return Argon.GetBytes(nHash)
        Else
            Dim Argon As Argon2id = New Argon2id(Encoding.UTF8.GetBytes(VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(password)))
-            Argon.Salt = GenerateSalt(nHash)
-            Argon.DegreeOfParallelism = 48
-            Argon.Iterations = nIterations * 3
-            Argon.MemorySize = (((nIterations * 2.485 - (nIterations * 0.56) / 1.85 * 2.28) / 5.18) + 1.024 * 416)
+            Argon.Salt = salt
+            Argon.DegreeOfParallelism = 50
+            Argon.Iterations = nIterations * VERAG_VARIABLES.RandomInteger(1, 3)
+            Argon.MemorySize = (((nIterations * 8.485 - (nIterations * 0.56) / 1.85 * 2.28) / 8.28) + 1.024 * 416)
            Return Argon.GetBytes(nHash)
        End If

--- a/argon2.xlsx
+++ b/argon2.xlsx
--- a/login/Change_PW.aspx.vb
+++ b/login/Change_PW.aspx.vb
@@ -7,7 +7,7 @@ Imports Konscious.Security.Cryptography

 Partial Class login_Change_PW
    Inherits System.Web.UI.Page
-    Dim intzahl As Integer = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 10))
+    Dim intzahl As Integer = VERAG_VARIABLES.RandomInteger(Math.Pow(2, 7), Math.Pow(2, 10))
    Dim intzahliterats As Integer = VERAG_VARIABLES.getiterationnumber
    Dim salt As Byte() = VERAG_VARIABLES.GenerateSalt(intzahl)
    Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load
@@ -573,11 +573,4 @@ Partial Class login_Change_PW
            Return String.Empty
        End If
    End Function
-    Shared Function RandomInteger(ByVal min As Integer, ByVal _
-    max As Integer) As Integer
-        Dim rand As New RNGCryptoServiceProvider()
-        Dim one_byte() As Byte = {0}
-        rand.GetBytes(one_byte)
-        Return min + (max - min) * (one_byte(0) / 255)
-    End Function
 End Class
--- a/login/ForgotPW.aspx.vb
+++ b/login/ForgotPW.aspx.vb
@@ -636,7 +636,7 @@ Partial Class ForgotPW
                Dim Ausschusstext2 As String = "und Zinsen zuletzt auf Zölle angerechnet. Zahlbar und klagbar in Schärding oder Ried. Steuer-Zoll-und Tarifauskünfte sind unverbindlich."
                Dim Ausschusstext3 As String = "We operate exclusively on the basis of the General Freight Forwarding Terms and Conditions in the respectively applicable version. Payments are initially"
                Dim Ausschusstext4 As String = "charged on freight, fees and interests and at last on customs duties. The place of jurisdiction: Schärding / Ried. Tax, customs and tariff information are not binding."
-                htmlbody = String.Format("Dear {0},<br /><br /> Please follow the Link to reset your password:<br /><br />" + Environment.NewLine + "<a runat=" + "server" + " href=http://" + getdomianenvironment + ServPort + "/login/Change_PW.aspx?Par1=" + tokenname + "&Par2=" + VERAG_PROG_ALLGEMEIN.cCryptography.Encrypt(username) + "&Par3=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(customerID) + "&Mob=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt("False") + "&Par4=" + VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(theUserID) + "&Par5=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(email) + ">http://" + getdomianenvironment + ServPort + "/login/ChangePW.aspx?Par1=" + tokenname + "&Par2=" + VERAG_PROG_ALLGEMEIN.cCryptography.Encrypt(username) + "&Par3=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(customerID) + "&Mob=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt("False") + "&Par4=" + VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(theUserID) + "&Par5=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(email) + "</a>" + Environment.NewLine + "<br /><br />Notice:<br /><span style='color: #043381;font-size:14px'><i>The Link is valid for 30 minutes until" + Space(1) + Date.Now.AddMinutes(30).ToString() + Space(1) + "only!</i></span><br / >To resend the E-Mail: <a runat=" + "server" + " href=http://" + getdomianenvironment + ServPort + "/login/ForgotPW.aspx>http://" + getdomianenvironment + ServPort + "/login/ForgotPW.aspx</a><br /><br />Kind regards, <br /><span style='color: #043381'><b>VERAG | EDV Support</b></span><br /><span>" + mailpic + "</span><br /><span style='color: #043381'>VERAG Spedition AG | A 4975 Suben, Nr. 100</span><br /><span style='color: #043381'>T.<a href='tel:+43 7711 2777-xx'>+43 7711 2777-xx</a> |<a href='mailto:@support@verag.ag'>support@verag.ag</a> |" + emailnr + "FN xxxxxxx</span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext2 + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext3 + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext4 + "</i></span><br />", username, password)
+                htmlbody = String.Format("Dear {0},<br /><br /> Please follow the Link to reset your password:<br /><br />" + Environment.NewLine + "<a runat=" + "server" + " href=http://" + getdomianenvironment + ServPort + "/login/Change_PW.aspx?Par1=" + tokenname + "&Par2=" + VERAG_PROG_ALLGEMEIN.cCryptography.Encrypt(username) + "&Par3=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(customerID) + "&Mob=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt("False") + "&Par4=" + VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(theUserID) + "&Par5=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(email) + ">http://" + getdomianenvironment + "/login/ChangePW.aspx?Par1=" + tokenname + "&Par2=" + VERAG_PROG_ALLGEMEIN.cCryptography.Encrypt(username) + "&Par3=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(customerID) + "&Mob=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt("False") + "&Par4=" + VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(theUserID) + "&Par5=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(email) + "</a>" + Environment.NewLine + "<br /><br />Notice:<br /><span style='color: #043381;font-size:14px'><i>The Link is valid for 30 minutes until" + Space(1) + Date.Now.AddMinutes(30).ToString() + Space(1) + "only!</i></span><br / >To resend the E-Mail: <a runat=" + "server" + " href=http://" + getdomianenvironment + ServPort + "/login/ForgotPW.aspx>http://" + getdomianenvironment + ServPort + "/login/ForgotPW.aspx</a><br /><br />Kind regards, <br /><span style='color: #043381'><b>VERAG | EDV Support</b></span><br /><span>" + mailpic + "</span><br /><span style='color: #043381'>VERAG Spedition AG | A 4975 Suben, Nr. 100</span><br /><span style='color: #043381'>T.<a href='tel:+43 7711 2777-xx'>+43 7711 2777-xx</a> |<a href='mailto:@support@verag.ag'>support@verag.ag</a> |" + emailnr + "FN xxxxxxx</span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext2 + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext3 + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext4 + "</i></span><br />", username, password)
            ElseIf String.IsNullOrEmpty(HttpContext.Current.Request.ServerVariables("SERVER_NAME")) = False Then
                getdomianenvironment = HttpContext.Current.Request.ServerVariables("SERVER_NAME")
                'MsgBox(getdomianenvironment)
@@ -649,7 +649,7 @@ Partial Class ForgotPW
                Dim Ausschusstext2 As String = "und Zinsen zuletzt auf Zölle angerechnet. Zahlbar und klagbar in Schärding oder Ried. Steuer-Zoll-und Tarifauskünfte sind unverbindlich."
                Dim Ausschusstext3 As String = "We operate exclusively on the basis of the General Freight Forwarding Terms and Conditions in the respectively applicable version. Payments are initially"
                Dim Ausschusstext4 As String = "charged on freight, fees and interests and at last on customs duties. The place of jurisdiction: Schärding / Ried. Tax, customs and tariff information are not binding."
-                htmlbody = String.Format("Dear {0},<br /><br /> Please follow the Link to reset your password:<br /><br />" + Environment.NewLine + "<a runat=" + "server" + " href=http://" + getdomianenvironment + "/login/Change_PW.aspx?Par1=" + tokenname + "&Par2=" + VERAG_PROG_ALLGEMEIN.cCryptography.Encrypt(username) + "&Par3=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(customerID) + "&Mob=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt("False") + "&Par4=" + VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(theUserID) + "&Par5=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(email) + ">http://" + getdomianenvironment + ServPort + "/login/ChangePW.aspx?Par1=" + tokenname + "&Par2=" + VERAG_PROG_ALLGEMEIN.cCryptography.Encrypt(username) + "&Par3=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(customerID) + "&Mob=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt("False") + "&Par4=" + VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(theUserID) + "&Par5=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(email) + "</a>" + Environment.NewLine + "<br /><br />Notice:<br /><span style='color: #043381;font-size:14px'><i>The Link is valid for 30 minutes until" + Space(1) + Date.Now.AddMinutes(30).ToString() + Space(1) + "only!</i></span><br / >To resend the E-Mail: <a runat=" + "server" + " href=http://" + getdomianenvironment + "/login/ForgotPW.aspx>http://" + getdomianenvironment + "/login/ForgotPW.aspx</a><br /><br />Kind regards, <br /><span style='color: #043381'><b>VERAG | EDV Support</b></span><br /><span>" + mailpic + "</span><br /><span style='color: #043381'>VERAG Spedition AG | A 4975 Suben, Nr. 100</span><br /><span style='color: #043381'>T.<a href='tel:+43 7711 2777-xx'>+43 7711 2777-xx</a> |<a href='mailto:@support@verag.ag'>support@verag.ag</a> | " + emailnr + "FN xxxxxxx</span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext2 + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext3 + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext4 + "</i></span><br />", username, password)
+                htmlbody = String.Format("Dear {0},<br /><br /> Please follow the Link to reset your password:<br /><br />" + Environment.NewLine + "<a runat=" + "server" + " href=http://" + getdomianenvironment + "/login/Change_PW.aspx?Par1=" + tokenname + "&Par2=" + VERAG_PROG_ALLGEMEIN.cCryptography.Encrypt(username) + "&Par3=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(customerID) + "&Mob=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt("False") + "&Par4=" + VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(theUserID) + "&Par5=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(email) + ">http://" + getdomianenvironment + "/login/ChangePW.aspx?Par1=" + tokenname + "&Par2=" + VERAG_PROG_ALLGEMEIN.cCryptography.Encrypt(username) + "&Par3=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(customerID) + "&Mob=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt("False") + "&Par4=" + VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(theUserID) + "&Par5=" + VERAG_PROG_ALLGEMEIN.cCryptography2.Encrypt(email) + "</a>" + Environment.NewLine + "<br /><br />Notice:<br /><span style='color: #043381;font-size:14px'><i>The Link is valid for 30 minutes until" + Space(1) + Date.Now.AddMinutes(30).ToString() + Space(1) + "only!</i></span><br / >To resend the E-Mail: <a runat=" + "server" + " href=http://" + getdomianenvironment + "/login/ForgotPW.aspx>http://" + getdomianenvironment + "/login/ForgotPW.aspx</a><br /><br />Kind regards, <br /><span style='color: #043381'><b>VERAG | EDV Support</b></span><br /><span>" + mailpic + "</span><br /><span style='color: #043381'>VERAG Spedition AG | A 4975 Suben, Nr. 100</span><br /><span style='color: #043381'>T.<a href='tel:+43 7711 2777-xx'>+43 7711 2777-xx</a> |<a href='mailto:@support@verag.ag'>support@verag.ag</a> | " + emailnr + "FN xxxxxxx</span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext2 + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext3 + "</i></span><br /><span style='color: #043381;font-size:12px'><i>" + Ausschusstext4 + "</i></span><br />", username, password)
            ElseIf String.IsNullOrWhiteSpace(HttpContext.Current.Request.ServerVariables("SERVER_NAME")) = True Then
                'MsgBox("Error09:" + Environment.NewLine + "The Domain could not be vaildated. Check Link please or contact the Administrator of the program.")
                lblMessage.ForeColor = Color.OrangeRed
--- a/login/login_FLEX.aspx.vb
+++ b/login/login_FLEX.aspx.vb
@@ -14,9 +14,8 @@ Partial Class login_FLEX
        VERAG_VARIABLES.initerrorcount()
        If Page.IsPostBack = True Then
            Page.MaintainScrollPositionOnPostBack = True
-            intzahl = VERAG_VARIABLES.RandomInteger(Math.Pow(2, 8), Math.Pow(2, 10))
+
            intzahliterats = VERAG_VARIABLES.getiterationnumber
-            salt = VERAG_VARIABLES.GenerateSalt(intzahl)
        Else
            Page.MaintainScrollPositionOnPostBack = False
        End If
@@ -116,6 +115,8 @@ Partial Class login_FLEX
            reqfieldvalpassw_M.Enabled = False
            reqfieldvalpassw.Validate()
            If reqfieldvalpassw.IsValid = True Then
+                intzahl = VERAG_VARIABLES.RandomInteger(Math.Pow(2, 7), Math.Pow(2, 10))
+                Dim hashpw1 As Byte() = VERAG_VARIABLES.HashPassword(tb3_M.Text, salt, intzahliterats, intzahl)
                passw = tb3.Text
            End If
        End If
@@ -123,6 +124,8 @@ Partial Class login_FLEX
            reqfieldvalpassw.Enabled = False
            reqfieldvalpassw_M.Enabled = True
            reqfieldvalpassw_M.Validate()
+            intzahl = VERAG_VARIABLES.RandomInteger(Math.Pow(2, 6), Math.Pow(2, 10))
+            Dim hashpw1_M As Byte() = VERAG_VARIABLES.HashPassword(tb3_M.Text, salt, intzahliterats, intzahl)
            If reqfieldvalpassw_M.IsValid = True Then
                passw = tb3_M.Text
            Else
@@ -140,9 +143,10 @@ Partial Class login_FLEX
                cmd.Parameters.AddWithValue("@Password", passw)
                cmd.Connection = con
                con.Open()
+                cmd.ExecuteScalar()
                ' userId = Convert.ToInt32(cmd.ExecuteScalar())
                Dim dr As SqlDataReader = cmd.ExecuteReader()
-                If dr.HasRows Then
+                If dr.HasRows = True Then
                    dr.Read()
                    'MsgBox(dr.Item(0).ToString())
                    Select Case dr.Item(0)
@@ -167,7 +171,9 @@ Partial Class login_FLEX
                                VERAG_VARIABLES.seterrorcount(8)
                                Login1.FailureText = VERAG_VARIABLES.geterrornumb + "Username is not in the database!"
                            End If
-                            If tb3.Text = dr("Password") Then
+                            If String.Equals(tb3.Text, dr("Password")) = True Then
+                                intzahl = VERAG_VARIABLES.RandomInteger(Math.Pow(2, 6), Math.Pow(2, 10))
+                                salt = VERAG_VARIABLES.GenerateSalt(intzahl)
                                Dim hashpw As Byte() = VERAG_VARIABLES.HashPassword(passw, salt, intzahliterats, intzahl)
                                If VERAG_VARIABLES.Verifyhash(dr("Password").ToString, salt, hashpw, intzahliterats, intzahl) = True Then
                                    passw = dr("Password").ToString
@@ -179,6 +185,7 @@ Partial Class login_FLEX
                                Login1.FailureText = VERAG_VARIABLES.geterrornumb + "Password is not in the database!"
                            End If

+
                            'MsgBox("Erfolgreich validiert.")
                            Session.Add("test", UserNaMe)
                            Session.Add("CustomerID", Customer_ID)