[Mono-bugs] [Bug 601727] New: Cannot use Web Forms MD5 authentications

Sat May 1 16:29:34 EDT 2010

http://bugzilla.novell.com/show_bug.cgi?id=601727

http://bugzilla.novell.com/show_bug.cgi?id=601727#c0

           Summary: Cannot use Web Forms MD5 authentications
    Classification: Mono
           Product: Mono: Class Libraries
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: Sys.Web
        AssignedTo: mhabersack at novell.com
        ReportedBy: djechelon at fastwebnet.it
         QAContact: mono-bugs at lists.ximian.com
          Found By: Customer
           Blocker: No

Description of Problem:
I currently use Web Forms authentication in my ASP.NET app. Web.config like the
following

    <authentication mode="Forms" >
      <forms loginUrl="Login.aspx" protection="All" slidingExpiration="true"
timeout="10">
        <credentials passwordFormat="MD5">
          <user name="admin" password="[md5 hash]" />
        </credentials>
      </forms>
    </authentication>

Under Windows it works fine and I get authenticated.
When using Mono, my login gets refused.

Could't test the same MD5 credentials with other authentication techniques

Steps to reproduce the problem:
1. Configure Web.config like above
2. Create Login.aspx page with at least the following control:

<asp:Login ID="loginControl" runat="server" LoginButtonType="Button"
Orientation="Vertical" CssClass="fieldlabel"
            RememberMeSet="false" TitleText="Login"
OnAuthenticate="loginControl_Authenticate">

and correspondant code-behind method:

        protected void loginControl_Authenticate(object sender,
AuthenticateEventArgs e)
        {
            e.Authenticated =
FormsAuthentication.Authenticate(loginControl.UserName, loginControl.Password);
        }

3. Test with proper credentials

Actual Results:
Your password is always refused

Expected Results:
Your password, matching MD5 hash, should be accepted

How often does this happen? 
Always

Additional Information:
The problem is in the FormsAuthentication.Authenticate(string,string) static
method, that should return true but returns false.
I looked into Mono code, its implementation seems correct (input password is
MD5-hashed if configuration requires hashing, then compared to stored password)
but... "return (password == stored);" statement might be the problem.
It COULD be a casing problem. If the password is stored as lowercase hex but
GetHexString returns uppercase hex or vice versa it could be causing the
problem.

I looked at GetHexString, and, as I remember, its return value is uppercase
judging by ASCII codes involved. My MD5 string in my example is lowercase.

Suggested solutions:
1. When comparing passwords, use case insensitive comparison when password is
hashed, else use case sensitive (passwords are plaintext)
2. Explicitly uppercase the stored password before comparison with hash

-- 
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.