From 1f40e69d42a6d3676b046ef09bc01723266c55fd Mon Sep 17 00:00:00 2001
From: Brad Young <brad@bradwyoung.com>
Date: Sat, 26 Dec 2020 10:16:25 -0600
Subject: [PATCH] Fixed issue where MD5 was always set for password hashing.
 Refactored to remove class level hash algorithm variable that allowed for
 hash algorithm instance to be updated.

---
 .../SiteSecurityManager.cs                      | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/source/DasBlog.Web.Repositories/SiteSecurityManager.cs b/source/DasBlog.Web.Repositories/SiteSecurityManager.cs
index 357fa50c..d623fd87 100644
--- a/source/DasBlog.Web.Repositories/SiteSecurityManager.cs
+++ b/source/DasBlog.Web.Repositories/SiteSecurityManager.cs
@@ -5,28 +5,30 @@
 using System;
 using System.Linq;
 using System.Security.Cryptography;
-using System.Security.Principal;
 using System.Text;
 
 namespace DasBlog.Managers
 {
 	public class SiteSecurityManager : ISiteSecurityManager
 	{
-		private HashAlgorithm hashAlgorithm;
 		private readonly IDasBlogSettings dasBlogSettings;
 
 		public SiteSecurityManager( IDasBlogSettings dasBlogSettings)
 		{
 			this.dasBlogSettings = dasBlogSettings;
-			hashAlgorithm = SHA512Managed.Create();
 		}
 
 		public string HashPassword(string password)
 		{
-			hashAlgorithm = MD5CryptoServiceProvider.Create();
-			byte[] clearBytes = Encoding.Unicode.GetBytes(password);
+			var hashAlgorithm = SHA512Managed.Create();
+			return HashPassword(password, hashAlgorithm);
+		}
+
+		private string HashPassword(string password, HashAlgorithm hashAlgorithm)
+		{
+			var clearBytes = Encoding.Unicode.GetBytes(password);
 
-			byte[] hashedBytes = hashAlgorithm.ComputeHash(clearBytes);
+			var hashedBytes = hashAlgorithm.ComputeHash(clearBytes);
 
 			return BitConverter.ToString(hashedBytes);
 		}
@@ -40,12 +42,13 @@ public bool VerifyHashedPassword(string hashedPassword, string providedPassword)
 		{
 			string hashprovidedpassword = string.Empty;
 
+			HashAlgorithm hashAlgorithm = SHA512Managed.Create();
 			if (this.IsMd5Hash(hashedPassword))
 			{
 				hashAlgorithm = MD5CryptoServiceProvider.Create();
 			}
 
-			hashprovidedpassword = this.HashPassword(providedPassword);
+			hashprovidedpassword = HashPassword(providedPassword, hashAlgorithm);
 
 			if (hashedPassword.Equals(hashprovidedpassword, StringComparison.InvariantCultureIgnoreCase))
 			{