[Mono-dev] [PATCH] Fix for Membership.{Encrypt, Decrypt}Password

Marek Habersack grendel at caudium.net
Tue Nov 21 07:12:15 EST 2006


On Tue, 21 Nov 2006 03:54:40 -0800, "Konstantin Triger"
<kostat at mainsoft.com> scribbled:

> Hi Marek,
Hey Konstantin,

> You are actually adding 2 protected properties, thus changing the
Yeah, I know, but it seemed to be the simplest way to go regarding
SqlMembershipProvider (and possible other future providers) without
exposing the properties to the rest of the assembly. But if you think
it would be ok to make them internal only, that's fine.

> public interface (BTW, Algorithm is never used).
Yes, I added it for "future use" - for the providers that might want to
use it.

> Caching algorithm is error prone since someone (in the future) may
> mistakenly use it as an algorithm instead of calling GetAlg(iv).
Yes, indeed. There is a window for a race condition there.

> I think caching algorithmIVSize only (if we need caching at all)
> would be better.
We need a way to communicate the size to the descendant classes and
since that particular piece of information could potentially be used
frequently, it seemed like an optimization to cache the de-facto
constant.

The alternative to caching and exposing the algorithm and IV size would
be to have the child classes detect the size themselves without giving
them the information from MembershipProvider. Since EncryptPassword
expects the input password to have the IV prepended to it, any
membership provider implementations (be them internal to mono or 3rd
party) need to retrieve the algo's IV size anyway. In a provider I
wrote for PostgreSQL I resort to retrieving the same information GetAlg
gets and get the IV size from there. Perhaps, then, it would be better
to remove the internal properties and modify SqlMembershipProvider to
retrieve the algorithm information from the config on its own? That
would, to some extent, double the work done but it would be the
cleanest solution. What do you think?

regards,

marek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.ximian.com/pipermail/mono-devel-list/attachments/20061121/0997b0eb/attachment.bin 


More information about the Mono-devel-list mailing list