xTr1m/GameList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate current password hashing to Argon2id

Browse Source
This commit is contained in:
Frank Tovar
2026-02-18 21:06:22 +01:00
parent a130cba41a
commit e55a1b01f4
9 changed files with 46 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
Infrastructure/PasswordHasher.cs
View File

@@ -1,17 +1,22 @@
using System.Security.Cryptography;
using System.Text;
using Konscious.Security.Cryptography;
namespace GameList.Infrastructure;
public static class PasswordHasher
{
public const int LegacyVersion = 1;
public const int CurrentVersion = 2;
public const int Pbkdf2Version = 2;
public const int CurrentVersion = 3;
private const int SaltSize = 16;
private const int KeySize = 32;
private const int IterationsV1 = 210_000;
private const int IterationsV2 = 350_000;
private const int Argon2Iterations = 2;
private const int Argon2MemoryKiB = 19_456;
private const int Argon2DegreeOfParallelism = 1;
public static (byte[] Hash, byte[] Salt) HashPassword(string password)
=> HashPassword(password, CurrentVersion);
@@ -23,12 +28,12 @@ public static class PasswordHasher
var normalizedVersion = NormalizeHashVersion(version);
var salt = RandomNumberGenerator.GetBytes(SaltSize);
var hash = PBKDF2(password, salt, normalizedVersion);
var hash = Derive(password, salt, normalizedVersion);
return (hash, salt);
}
public static bool Verify(string password, byte[] hash, byte[] salt)
=> Verify(password, hash, salt, LegacyVersion, out _);
=> Verify(password, hash, salt, CurrentVersion, out _);
public static bool Verify(string password, byte[] hash, byte[] salt, int version, out bool needsRehash)
{
@@ -40,7 +45,7 @@ public static class PasswordHasher
if (normalizedVersion == 0)
return false;
var computed = PBKDF2(password, salt, normalizedVersion);
var computed = Derive(password, salt, normalizedVersion);
var verified = CryptographicOperations.FixedTimeEquals(computed, hash);
needsRehash = verified && normalizedVersion < CurrentVersion;
@@ -52,6 +57,7 @@ public static class PasswordHasher
return version switch
{
<= LegacyVersion => LegacyVersion,
Pbkdf2Version => Pbkdf2Version,
CurrentVersion => CurrentVersion,
_ => throw new ArgumentOutOfRangeException(nameof(version), "Unsupported password hash version.")
};
@@ -62,24 +68,38 @@ public static class PasswordHasher
return version switch
{
<= LegacyVersion => LegacyVersion,
Pbkdf2Version => Pbkdf2Version,
CurrentVersion => CurrentVersion,
_ => 0
};
}
private static int ResolveIterations(int version)
private static byte[] Derive(string password, byte[] salt, int version)
{
return version switch
{
LegacyVersion => IterationsV1,
CurrentVersion => IterationsV2,
_ => IterationsV1
LegacyVersion => PBKDF2(password, salt, IterationsV1),
Pbkdf2Version => PBKDF2(password, salt, IterationsV2),
CurrentVersion => Argon2id(password, salt),
_ => throw new ArgumentOutOfRangeException(nameof(version), "Unsupported password hash version.")
};
}
private static byte[] PBKDF2(string password, byte[] salt, int version)
private static byte[] PBKDF2(string password, byte[] salt, int iterations)
{
var iterations = ResolveIterations(version);
return Rfc2898DeriveBytes.Pbkdf2(Encoding.UTF8.GetBytes(password), salt, iterations, HashAlgorithmName.SHA256, KeySize);
}
private static byte[] Argon2id(string password, byte[] salt)
{
using var argon2 = new Argon2id(Encoding.UTF8.GetBytes(password))
{
Salt = salt,
Iterations = Argon2Iterations,
MemorySize = Argon2MemoryKiB,
DegreeOfParallelism = Argon2DegreeOfParallelism
};
return argon2.GetBytes(KeySize);
}
}