V3.x legacy migration functionality

Add ability to validate and hash using V4 interoperable method while maintaining default V3 behaviour

Author: ChrisMcKee

src/BCrypt.Net.MainPackage/BCrypt.Net.Package.csproj

@@ -24,7 +24,7 @@
     <PublicSign Condition=" '$(OS)' != 'Windows_NT' ">true</PublicSign>
     <AssemblyOriginatorKeyFile>../bcrypt.pfx</AssemblyOriginatorKeyFile>
 
-    <Version>4.0.0</Version>
+    <Version>3.5.0</Version>
     <PackageTags>bcrypt;BCrypt.Net;cryptography;hashing;password;security,hash;crypto;blowfish;gdpr</PackageTags>
     <Configurations>Debug;Release</Configurations>
   </PropertyGroup>

src/BCrypt.Net.StrongName/BCrypt.Net.StrongName.csproj

@@ -24,7 +24,7 @@
     <PublicSign Condition=" '$(OS)' != 'Windows_NT' ">true</PublicSign>
     <AssemblyOriginatorKeyFile>../bcrypt.pfx</AssemblyOriginatorKeyFile>
 
-    <Version>4.0.0</Version>
+    <Version>3.5.0</Version>
     <PackageTags>bcrypt;BCrypt.Net;cryptography;hashing;password;security,hash;crypto;blowfish;gdpr</PackageTags>
     <Configurations>Debug;Release</Configurations>
   </PropertyGroup>

src/BCrypt.Net.UnitTests/BCryptTests.cs

@@ -208,10 +208,40 @@ public void TestHashPasswordEnhanced_PASSLIB()
                 //Check hash that goes in one end comes out the next the same
                 salt = _pythonPassLibTestVectors[i, 1];
 
-                string hashed = BCrypt.HashPassword(plain, salt, enhancedEntropy: true, HashType.SHA256);
+                string hashed = BCrypt.HashPassword(plain, salt, enhancedEntropy: true, HashType.SHA256, v4CompatibleEnhancedEntropy:true);
 
                 Assert.Equal(hashed, _pythonPassLibTestVectors[i, 2]);
 
+                var validateHashCheck = BCrypt.Verify(plain, hashed, true, HashType.SHA256, v4CompatibleEnhancedEntropy: true);
+                Assert.True(validateHashCheck);
+
+                Trace.WriteLine(hashed);
+
+                Trace.Write(".");
+            }
+
+            Trace.WriteLine(sw.ElapsedMilliseconds);
+            Trace.WriteLine("");
+        }
+
+        [Fact()]
+        public void TestHashPasswordEnhanced_PASSLIB_V3EnhancedIsNotInteroperable()
+        {
+            Trace.Write("BCrypt.HashPassword(): ");
+            var sw = Stopwatch.StartNew();
+
+            for (int i = 0; i < _pythonPassLibTestVectors.Length / 3; i++)
+            {
+                string plain = _pythonPassLibTestVectors[i, 0];
+                string salt;
+
+                //Check hash that goes in one end comes out the next the same
+                salt = _pythonPassLibTestVectors[i, 1];
+
+                string hashed = BCrypt.HashPassword(plain, salt, enhancedEntropy: true, HashType.SHA256);
+
+                Assert.NotEqual(hashed, _pythonPassLibTestVectors[i, 2]);
+
                 var validateHashCheck = BCrypt.EnhancedVerify(plain, hashed, HashType.SHA256);
                 Assert.True(validateHashCheck);
 

src/BCrypt.Net/BCrypt.Net.csproj

@@ -19,7 +19,7 @@
     <License>https://github.com/BcryptNet/bcrypt.net/blob/master/licence.txt</License>
     <PackageLicenseUrl>https://github.com/BcryptNet/bcrypt.net/blob/master/licence.txt</PackageLicenseUrl>
 
-    <Version>4.0.0</Version>
+    <Version>3.5.0</Version>
 
     <Configurations>Debug;Release</Configurations>
   </PropertyGroup>

src/BCrypt.Net/BCrypt.cs

@@ -596,7 +596,7 @@ public static string ValidateAndReplacePassword(string currentKey, string curren
         /// <returns>The hashed password</returns>
         /// <exception cref="ArgumentNullException">Thrown when the <paramref name="inputKey"/> is null.</exception>
         /// <exception cref="SaltParseException">Thrown when the <paramref name="salt"/> could not be parsed.</exception>
-        public static string HashPassword(string inputKey, string salt, bool enhancedEntropy, HashType hashType = DefaultEnhancedHashType)
+        public static string HashPassword(string inputKey, string salt, bool enhancedEntropy, HashType hashType = DefaultEnhancedHashType, bool v4CompatibleEnhancedEntropy = false)
         {
             if (inputKey == null)
             {
@@ -653,10 +653,14 @@ public static string HashPassword(string inputKey, string salt, bool enhancedEnt
 
             byte[] inputBytes;
 
-            if (enhancedEntropy)
+            if (enhancedEntropy && v4CompatibleEnhancedEntropy)
             {
                 inputBytes = EnhancedHash(SafeUTF8.GetBytes(inputKey), bcryptMinorRevision, hashType);
             }
+            else if (enhancedEntropy)
+            {
+                inputBytes = V3EnhancedHash(SafeUTF8.GetBytes(inputKey + (bcryptMinorRevision >= 'a' ? Nul : EmptyString)), hashType);
+            }
             else
             {
                 inputBytes = SafeUTF8.GetBytes(inputKey + (bcryptMinorRevision >= 'a' ? Nul : EmptyString));
@@ -704,6 +708,29 @@ private static byte[] EnhancedHash(byte[] inputBytes, char bcryptMinorRevision,
             return inputBytes;
         }
 
+        private static byte[] V3EnhancedHash(byte[] inputBytes, HashType hashType)
+        {
+            switch (hashType)
+            {
+                case HashType.SHA256:
+                    inputBytes = SafeUTF8.GetBytes(Convert.ToBase64String(SHA256.Create().ComputeHash(inputBytes)));
+                    break;
+                case HashType.SHA384:
+                    inputBytes = SafeUTF8.GetBytes(Convert.ToBase64String(SHA384.Create().ComputeHash(inputBytes)));
+                    break;
+                case HashType.SHA512:
+                    inputBytes = SafeUTF8.GetBytes(Convert.ToBase64String(SHA512.Create().ComputeHash(inputBytes)));
+                    break;
+                case HashType.Legacy384:
+                    inputBytes = SHA384.Create().ComputeHash(inputBytes);
+                    break;
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(hashType), hashType, null);
+            }
+
+            return inputBytes;
+        }
+
 
         /// <summary>
         ///  Generate a salt for use with the <see cref="BCrypt.HashPassword(string, string)"/> method.
@@ -803,9 +830,9 @@ public static string GenerateSalt()
         /// <returns>true if the passwords match, false otherwise.</returns>
         /// <exception cref="ArgumentException">Thrown when one or more arguments have unsupported or illegal values.</exception>
         /// <exception cref="SaltParseException">Thrown when the salt could not be parsed.</exception>
-        public static bool Verify(string text, string hash, bool enhancedEntropy = false, HashType hashType = DefaultEnhancedHashType)
+        public static bool Verify(string text, string hash, bool enhancedEntropy = false, HashType hashType = DefaultEnhancedHashType, bool v4CompatibleEnhancedEntropy=false)
         {
-            return SecureEquals(SafeUTF8.GetBytes(hash), SafeUTF8.GetBytes(HashPassword(text, hash, enhancedEntropy, hashType)));
+            return SecureEquals(SafeUTF8.GetBytes(hash), SafeUTF8.GetBytes(HashPassword(text, hash, enhancedEntropy, hashType, v4CompatibleEnhancedEntropy)));
         }
 
         // Compares two byte arrays for equality. The method is specifically written so that the loop is not optimised.

src/BCrypt.Net/HashType.cs

@@ -10,6 +10,7 @@ public enum HashType
         None = -1,
         SHA256 = 0,
         SHA384 = 1,
-        SHA512 = 2
+        SHA512 = 2,
+        Legacy384 = 3
     }
 }