[Mono-bugs] [Bug 538406] Bad PKCS7 padding exception is thrown when trying to login or recover password under ASP.NET using encrypted passwords and AspSQLProvider.

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Mon Sep 14 09:20:23 EDT 2009


http://bugzilla.novell.com/show_bug.cgi?id=538406

User spouliot at novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=538406#c7


Sebastien Pouliot <spouliot at novell.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |NEEDINFO
                 CC|                            |gonzalo at novell.com,
                   |                            |mhabersack at novell.com
      Info Provider|                            |mhabersack at novell.com




--- Comment #7 from Sebastien Pouliot <spouliot at novell.com>  2009-09-14 07:20:21 MDT ---
So the current code does not work (you probably guessed that ;-) because it's
not really symmetric. The encryption provides an IV (which should not be based
on the password) while the decryption does not provide it. The decryption also
truncates the data (to remove the "IV garbage") which indicates it's likely the
author did not knew what an IV is (or how it's used).

AFAICT this got broke in r67374 - but that revision was good in the sense that
it implemented the right methods (i.e. the protected [Encrypt|Decrypt]Password)

http://anonsvn.mono-project.com/viewvc/trunk/mcs/class/System.Web/System.Web.Security/MembershipProvider.cs?r1=60240&r2=67374

As to fix this well there's no way to do it in a backward compatible way. OTOH
I don't think anyone can have a working site that depends on our code[1]

[1] likely because most MembershipProvider implementation override the base
methods.

Marek & Gonzalo: Do you know anyone that could (really) depend on the existing
code ? or that you want to contact/ask before this is fixed correctly ?

-- 
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.


More information about the mono-bugs mailing list