Bug #58906 MembershipProvider doesn't properly generate hashes if algorithm is keyed
Submitted: 13 Dec 2010 21:28 Modified: 7 Jan 2011 16:21
Reporter: Marvin K Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / NET Severity:S3 (Non-critical)
Version:6.3.5 OS:Any
Assigned to: CPU Architecture:Any

[13 Dec 2010 21:28] Marvin K 
Description:
The Key of the algorithm should be set if the HashAlgorithm is KeyedHashAlgorithm. Otherwise it won't produce the same hash resulting in an invalid password match every time.

How to repeat:
You can validate this by looking at EncodePassword's output using a keyed algorithm such as HMACSHA256.

Suggested fix:
Also make sure the key is properly padded/cut to match the KeyedHashAlgorithm's key's length. I can't give any directions on how to do this because I looked at the .NET code using Reflector. You might actually want to know how Microsoft did this otherwise the users wouldn't be exchangeable.
[14 Dec 2010 22:57] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/126857

856 Reggie Burnett	2010-12-14
      - fixed MembershipProvider to properly set a hash key when using a keyed hash alogrithm (bug #58906)
[14 Dec 2010 22:59] Reggie Burnett 
Fixed in 6.0.8, 6.1.6, 6.2.5, 6.3.6+
[7 Jan 2011 16:21] Tony Bedford 
An entry has been added to the 6.0.8, 6.1.6, 6.2.5, and 6.3.6 changelogs:

MembershipProvider did not generate hashes correctly if the algorithm was keyed. The Key of the algorithm should have been set if the HashAlgorithm was KeyedHashAlgorithm.