New: Migrate user passwords to Pbkdf2

(cherry picked from commit 269e72a2193b584476bec338ef41e6fb2e5cbea6)

src/NzbDrone.Core/Authentication/User.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using NzbDrone.Core.Datastore;
 
 namespace NzbDrone.Core.Authentication
@@ -8,5 +8,7 @@ namespace NzbDrone.Core.Authentication
         public Guid Identifier { get; set; }
         public string Username { get; set; }
         public string Password { get; set; }
+        public string Salt { get; set; }
+        public int Iterations { get; set; }
     }
 }

src/NzbDrone.Core/Authentication/UserService.cs

@@ -1,5 +1,7 @@
 using System;
 using System.Linq;
+using System.Security.Cryptography;
+using Microsoft.AspNetCore.Cryptography.KeyDerivation;
 using NzbDrone.Common.Disk;
 using NzbDrone.Common.EnvironmentInfo;
 using NzbDrone.Common.Extensions;
@@ -21,15 +23,16 @@ namespace NzbDrone.Core.Authentication
 
     public class UserService : IUserService, IHandle<ApplicationStartedEvent>
     {
+        private const int ITERATIONS = 10000;
+        private const int SALT_SIZE = 128 / 8;
+        private const int NUMBER_OF_BYTES = 256 / 8;
+
         private readonly IUserRepository _repo;
         private readonly IAppFolderInfo _appFolderInfo;
         private readonly IDiskProvider _diskProvider;
         private readonly IConfigFileProvider _configFileProvider;
 
-        public UserService(IUserRepository repo,
+        public UserService(IUserRepository repo, IAppFolderInfo appFolderInfo, IDiskProvider diskProvider, IConfigFileProvider configFileProvider)
-            IAppFolderInfo appFolderInfo,
-            IDiskProvider diskProvider,
-            IConfigFileProvider configFileProvider)
         {
             _repo = repo;
             _appFolderInfo = appFolderInfo;
@@ -39,12 +42,15 @@ namespace NzbDrone.Core.Authentication
 
         public User Add(string username, string password)
         {
-            return _repo.Insert(new User
+            var user = new User
             {
                 Identifier = Guid.NewGuid(),
-                Username = username.ToLowerInvariant(),
+                Username = username.ToLowerInvariant()
-                Password = password.SHA256Hash()
+            };
-            });
+
+            SetUserHashedPassword(user, password);
+
+            return _repo.Insert(user);
         }
 
         public User Update(User user)
@@ -63,7 +69,7 @@ namespace NzbDrone.Core.Authentication
 
             if (user.Password != password)
             {
-                user.Password = password.SHA256Hash();
+                SetUserHashedPassword(user, password);
             }
 
             user.Username = username.ToLowerInvariant();
@@ -90,7 +96,20 @@ namespace NzbDrone.Core.Authentication
                 return null;
             }
 
+            if (user.Salt.IsNullOrWhiteSpace())
+            {
+                // If password matches stored SHA256 hash, update to salted hash and verify.
                 if (user.Password == password.SHA256Hash())
+                {
+                    SetUserHashedPassword(user, password);
+
+                    return Update(user);
+                }
+
+                return null;
+            }
+
+            if (VerifyHashedPassword(user, password))
             {
                 return user;
             }
@@ -103,6 +122,43 @@ namespace NzbDrone.Core.Authentication
             return _repo.FindUser(identifier);
         }
 
+        private User SetUserHashedPassword(User user, string password)
+        {
+            var salt = GenerateSalt();
+
+            user.Iterations = ITERATIONS;
+            user.Salt = Convert.ToBase64String(salt);
+            user.Password = GetHashedPassword(password, salt, ITERATIONS);
+
+            return user;
+        }
+
+        private byte[] GenerateSalt()
+        {
+            var salt = new byte[SALT_SIZE];
+            RandomNumberGenerator.Create().GetBytes(salt);
+
+            return salt;
+        }
+
+        private string GetHashedPassword(string password, byte[] salt, int iterations)
+        {
+            return Convert.ToBase64String(KeyDerivation.Pbkdf2(
+                password: password,
+                salt: salt,
+                prf: KeyDerivationPrf.HMACSHA512,
+                iterationCount: iterations,
+                numBytesRequested: NUMBER_OF_BYTES));
+        }
+
+        private bool VerifyHashedPassword(User user, string password)
+        {
+            var salt = Convert.FromBase64String(user.Salt);
+            var hashedPassword = GetHashedPassword(password, salt, user.Iterations);
+
+            return user.Password == hashedPassword;
+        }
+
         public void Handle(ApplicationStartedEvent message)
         {
             if (_repo.All().Any())

src/NzbDrone.Core/Datastore/Migration/215_add_salt_to_users.cs

@@ -0,0 +1,16 @@
+using FluentMigrator;
+using NzbDrone.Core.Datastore.Migration.Framework;
+
+namespace NzbDrone.Core.Datastore.Migration
+{
+    [Migration(215)]
+    public class add_salt_to_users : NzbDroneMigrationBase
+    {
+        protected override void MainDbUpgrade()
+        {
+            Alter.Table("Users")
+                .AddColumn("Salt").AsString().Nullable()
+                .AddColumn("Iterations").AsInt32().Nullable();
+        }
+    }
+}

src/NzbDrone.Core/Radarr.Core.csproj

@@ -11,6 +11,7 @@
     <PackageReference Include="Servarr.FFprobe" Version="5.1.2.106" />
     <PackageReference Include="System.Memory" Version="4.5.5" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="6.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Cryptography.KeyDerivation" Version="6.0.6" />
     <PackageReference Include="Microsoft.Extensions.Logging" Version="6.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="6.0.1" />
     <PackageReference Include="Servarr.FluentMigrator.Runner" Version="3.3.2.9" />