6 files changed, 191 insertions, 5 deletions

diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
index 0fd509f84..171509382 100644
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -209,6 +209,7 @@
  - [Kirill Nikiforov](https://github.com/allmazz)
  - [bjorntp](https://github.com/bjorntp)
  - [martenumberto](https://github.com/martenumberto)
+ - [ZeusCraft10](https://github.com/ZeusCraft10)
 
 # Emby Contributors
 
diff --git a/Directory.Packages.props b/Directory.Packages.props
index c7a7346f3..31b46da61 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -88,7 +88,7 @@
     <PackageVersion Include="System.Text.Json" Version="9.0.11" />
     <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="9.0.11" />
     <PackageVersion Include="TagLibSharp" Version="2.3.0" />
-    <PackageVersion Include="z440.atl.core" Version="7.9.0" />
+    <PackageVersion Include="z440.atl.core" Version="7.10.0" />
     <PackageVersion Include="TMDbLib" Version="2.3.0" />
     <PackageVersion Include="UTF.Unknown" Version="2.6.0" />
     <PackageVersion Include="Xunit.Priority" Version="1.1.6" />
diff --git a/Emby.Server.Implementations/Cryptography/CryptographyProvider.cs b/Emby.Server.Implementations/Cryptography/CryptographyProvider.cs
index 5380c45d8..0381c4d35 100644
--- a/Emby.Server.Implementations/Cryptography/CryptographyProvider.cs
+++ b/Emby.Server.Implementations/Cryptography/CryptographyProvider.cs
@@ -39,22 +39,24 @@ namespace Emby.Server.Implementations.Cryptography
         {
             if (string.Equals(hash.Id, "PBKDF2", StringComparison.Ordinal))
             {
+                var iterations = GetIterationsParameter(hash);
                 return hash.Hash.SequenceEqual(
                     Rfc2898DeriveBytes.Pbkdf2(
                         password,
                         hash.Salt,
-                        int.Parse(hash.Parameters["iterations"], CultureInfo.InvariantCulture),
+                        iterations,
                         HashAlgorithmName.SHA1,
                         32));
             }
 
             if (string.Equals(hash.Id, "PBKDF2-SHA512", StringComparison.Ordinal))
             {
+                var iterations = GetIterationsParameter(hash);
                 return hash.Hash.SequenceEqual(
                     Rfc2898DeriveBytes.Pbkdf2(
                         password,
                         hash.Salt,
-                        int.Parse(hash.Parameters["iterations"], CultureInfo.InvariantCulture),
+                        iterations,
                         HashAlgorithmName.SHA512,
                         DefaultOutputLength));
             }
@@ -62,6 +64,27 @@ namespace Emby.Server.Implementations.Cryptography
             throw new NotSupportedException($"Can't verify hash with id: {hash.Id}");
         }
 
+        /// <summary>
+        /// Extracts and validates the iterations parameter from a password hash.
+        /// </summary>
+        /// <param name="hash">The password hash containing parameters.</param>
+        /// <returns>The number of iterations.</returns>
+        /// <exception cref="FormatException">Thrown when iterations parameter is missing or invalid.</exception>
+        private static int GetIterationsParameter(PasswordHash hash)
+        {
+            if (!hash.Parameters.TryGetValue("iterations", out var iterationsStr))
+            {
+                throw new FormatException($"Password hash with id '{hash.Id}' is missing required 'iterations' parameter.");
+            }
+
+            if (!int.TryParse(iterationsStr, CultureInfo.InvariantCulture, out var iterations))
+            {
+                throw new FormatException($"Password hash with id '{hash.Id}' has invalid 'iterations' parameter: '{iterationsStr}'.");
+            }
+
+            return iterations;
+        }
+
         /// <inheritdoc />
         public byte[] GenerateSalt()
             => GenerateSalt(DefaultSaltLength);
diff --git a/Jellyfin.Api/Helpers/DynamicHlsHelper.cs b/Jellyfin.Api/Helpers/DynamicHlsHelper.cs
index 16e51151d..44e1c6d5a 100644
--- a/Jellyfin.Api/Helpers/DynamicHlsHelper.cs
+++ b/Jellyfin.Api/Helpers/DynamicHlsHelper.cs
@@ -754,7 +754,9 @@ public class DynamicHlsHelper
     {
         if (string.Equals(state.ActualOutputAudioCodec, "aac", StringComparison.OrdinalIgnoreCase))
         {
-            string? profile = state.GetRequestedProfiles("aac").FirstOrDefault();
+            string? profile = EncodingHelper.IsCopyCodec(state.OutputAudioCodec)
+                ? state.AudioStream?.Profile : state.GetRequestedProfiles("aac").FirstOrDefault();
+
             return HlsCodecStringHelpers.GetAACString(profile);
         }
 
@@ -788,6 +790,19 @@ public class DynamicHlsHelper
             return HlsCodecStringHelpers.GetOPUSString();
         }
 
+        if (string.Equals(state.ActualOutputAudioCodec, "truehd", StringComparison.OrdinalIgnoreCase))
+        {
+            return HlsCodecStringHelpers.GetTRUEHDString();
+        }
+
+        if (string.Equals(state.ActualOutputAudioCodec, "dts", StringComparison.OrdinalIgnoreCase))
+        {
+            // lavc only support encoding DTS core profile
+            string? profile = EncodingHelper.IsCopyCodec(state.OutputAudioCodec) ? state.AudioStream?.Profile : "DTS";
+
+            return HlsCodecStringHelpers.GetDTSString(profile);
+        }
+
         return string.Empty;
     }
 
diff --git a/Jellyfin.Api/Helpers/HlsCodecStringHelpers.cs b/Jellyfin.Api/Helpers/HlsCodecStringHelpers.cs
index 0efb7f45d..cf42d5f10 100644
--- a/Jellyfin.Api/Helpers/HlsCodecStringHelpers.cs
+++ b/Jellyfin.Api/Helpers/HlsCodecStringHelpers.cs
@@ -42,6 +42,11 @@ public static class HlsCodecStringHelpers
     public const string OPUS = "Opus";
 
     /// <summary>
+    /// Codec name for TRUEHD.
+    /// </summary>
+    public const string TRUEHD = "mlpa";
+
+    /// <summary>
     /// Gets a MP3 codec string.
     /// </summary>
     /// <returns>MP3 codec string.</returns>
@@ -59,7 +64,7 @@ public static class HlsCodecStringHelpers
     {
         StringBuilder result = new StringBuilder("mp4a", 9);
 
-        if (string.Equals(profile, "HE", StringComparison.OrdinalIgnoreCase))
+        if (string.Equals(profile, "HE-AAC", StringComparison.OrdinalIgnoreCase))
         {
             result.Append(".40.5");
         }
@@ -118,6 +123,46 @@ public static class HlsCodecStringHelpers
     }
 
     /// <summary>
+    /// Gets an TRUEHD codec string.
+    /// </summary>
+    /// <returns>TRUEHD codec string.</returns>
+    public static string GetTRUEHDString()
+    {
+        return TRUEHD;
+    }
+
+    /// <summary>
+    /// Gets an DTS codec string.
+    /// </summary>
+    /// <param name="profile">DTS profile.</param>
+    /// <returns>DTS codec string.</returns>
+    public static string GetDTSString(string? profile)
+    {
+        if (string.Equals(profile, "DTS", StringComparison.OrdinalIgnoreCase)
+            || string.Equals(profile, "DTS-ES", StringComparison.OrdinalIgnoreCase)
+            || string.Equals(profile, "DTS 96/24", StringComparison.OrdinalIgnoreCase))
+        {
+            return "dtsc";
+        }
+
+        if (string.Equals(profile, "DTS-HD HRA", StringComparison.OrdinalIgnoreCase)
+            || string.Equals(profile, "DTS-HD MA", StringComparison.OrdinalIgnoreCase)
+            || string.Equals(profile, "DTS-HD MA + DTS:X", StringComparison.OrdinalIgnoreCase)
+            || string.Equals(profile, "DTS-HD MA + DTS:X IMAX", StringComparison.OrdinalIgnoreCase))
+        {
+            return "dtsh";
+        }
+
+        if (string.Equals(profile, "DTS Express", StringComparison.OrdinalIgnoreCase))
+        {
+            return "dtse";
+        }
+
+        // Default to DTS core if profile is invalid
+        return "dtsc";
+    }
+
+    /// <summary>
     /// Gets a H.264 codec string.
     /// </summary>
     /// <param name="profile">H.264 profile.</param>
diff --git a/tests/Jellyfin.Server.Implementations.Tests/Cryptography/CryptographyProviderTests.cs b/tests/Jellyfin.Server.Implementations.Tests/Cryptography/CryptographyProviderTests.cs
new file mode 100644
index 000000000..052bdf740
--- /dev/null
+++ b/tests/Jellyfin.Server.Implementations.Tests/Cryptography/CryptographyProviderTests.cs
@@ -0,0 +1,102 @@
+using System;
+using Emby.Server.Implementations.Cryptography;
+using MediaBrowser.Model.Cryptography;
+using Xunit;
+
+namespace Jellyfin.Server.Implementations.Tests.Cryptography;
+
+public class CryptographyProviderTests
+{
+    private readonly CryptographyProvider _sut = new();
+
+    [Fact]
+    public void CreatePasswordHash_WithPassword_ReturnsHashWithIterations()
+    {
+        var hash = _sut.CreatePasswordHash("testpassword");
+
+        Assert.Equal("PBKDF2-SHA512", hash.Id);
+        Assert.True(hash.Parameters.ContainsKey("iterations"));
+        Assert.NotEmpty(hash.Salt.ToArray());
+        Assert.NotEmpty(hash.Hash.ToArray());
+    }
+
+    [Fact]
+    public void Verify_WithValidPassword_ReturnsTrue()
+    {
+        const string password = "testpassword";
+        var hash = _sut.CreatePasswordHash(password);
+
+        Assert.True(_sut.Verify(hash, password));
+    }
+
+    [Fact]
+    public void Verify_WithWrongPassword_ReturnsFalse()
+    {
+        var hash = _sut.CreatePasswordHash("correctpassword");
+
+        Assert.False(_sut.Verify(hash, "wrongpassword"));
+    }
+
+    [Fact]
+    public void Verify_PBKDF2_MissingIterations_ThrowsFormatException()
+    {
+        var hash = PasswordHash.Parse("$PBKDF2$69F420$62FBA410AFCA5B4475F35137AB2E8596B127E4D927BA23F6CC05C067E897042D");
+
+        var exception = Assert.Throws<FormatException>(() => _sut.Verify(hash, "password"));
+        Assert.Contains("missing required 'iterations' parameter", exception.Message, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public void Verify_PBKDF2SHA512_MissingIterations_ThrowsFormatException()
+    {
+        var hash = PasswordHash.Parse("$PBKDF2-SHA512$69F420$62FBA410AFCA5B4475F35137AB2E8596B127E4D927BA23F6CC05C067E897042D");
+
+        var exception = Assert.Throws<FormatException>(() => _sut.Verify(hash, "password"));
+        Assert.Contains("missing required 'iterations' parameter", exception.Message, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public void Verify_PBKDF2_InvalidIterationsFormat_ThrowsFormatException()
+    {
+        var hash = PasswordHash.Parse("$PBKDF2$iterations=abc$69F420$62FBA410AFCA5B4475F35137AB2E8596B127E4D927BA23F6CC05C067E897042D");
+
+        var exception = Assert.Throws<FormatException>(() => _sut.Verify(hash, "password"));
+        Assert.Contains("invalid 'iterations' parameter", exception.Message, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public void Verify_PBKDF2SHA512_InvalidIterationsFormat_ThrowsFormatException()
+    {
+        var hash = PasswordHash.Parse("$PBKDF2-SHA512$iterations=notanumber$69F420$62FBA410AFCA5B4475F35137AB2E8596B127E4D927BA23F6CC05C067E897042D");
+
+        var exception = Assert.Throws<FormatException>(() => _sut.Verify(hash, "password"));
+        Assert.Contains("invalid 'iterations' parameter", exception.Message, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public void Verify_UnsupportedHashId_ThrowsNotSupportedException()
+    {
+        var hash = PasswordHash.Parse("$UNKNOWN$69F420$62FBA410AFCA5B4475F35137AB2E8596B127E4D927BA23F6CC05C067E897042D");
+
+        Assert.Throws<NotSupportedException>(() => _sut.Verify(hash, "password"));
+    }
+
+    [Fact]
+    public void GenerateSalt_ReturnsNonEmptyArray()
+    {
+        var salt = _sut.GenerateSalt();
+
+        Assert.NotEmpty(salt);
+    }
+
+    [Theory]
+    [InlineData(16)]
+    [InlineData(32)]
+    [InlineData(64)]
+    public void GenerateSalt_WithLength_ReturnsArrayOfSpecifiedLength(int length)
+    {
+        var salt = _sut.GenerateSalt(length);
+
+        Assert.Equal(length, salt.Length);
+    }
+}