[Mono-dev] [PATCH] Fix for Membership.{Encrypt, Decrypt}Password

Konstantin Triger kostat at mainsoft.com
Tue Nov 21 06:54:40 EST 2006


Hi Marek,

You are actually adding 2 protected properties, thus changing the public interface (BTW, Algorithm is never used).

Caching algorithm is error prone since someone (in the future) may mistakenly use it as an algorithm instead of calling GetAlg(iv).

I think caching algorithmIVSize only (if we need caching at all) would be better.

Regards,
Kosta

-----Original Message-----
From: mono-devel-list-bounces at lists.ximian.com [mailto:mono-devel-list-bounces at lists.ximian.com] On Behalf Of Marek Habersack
Sent: Tuesday, November 21, 2006 12:38 PM
To: Mono Development List
Subject: [Mono-dev] [PATCH] Fix for Membership.{Encrypt,Decrypt}Password

Hello,

  Attached is a diff which reimplements the two methods mentioned in
the subject. The current implementation would break if the password
passed was larger than the symmetric algorithm block size and it
wouldn't take into account the IV embedded into the encrypted password
when decrypting. Also, it assumet the IV (salt) size to be 16 bytes,
which isn't forward-compatible. The reimplementation uses CryptoStream
and the size of the algorithm's IV to fix both of the problems.
  At first I thought that embedding the IV in the password passed to
{Encrypt,Decrypt}Password is incorrect according to the MS.NET
documentation, but the tests show that it's the documentation that's
wrong. 
  The diff also touches SqlMembershipProvider to account for the
salt size fix above. Please review,

best regards,

marek



More information about the Mono-devel-list mailing list