[CSHARP-2163] Make PasswordEvidence implementation FIPS compliant Created: 31/Jan/18  Updated: 28/Oct/23  Resolved: 21/Feb/18

Status: Closed
Project: C# Driver
Component/s: Security
Affects Version/s: 2.5
Fix Version/s: 2.6.0

Type: Improvement Priority: Major - P3
Reporter: Robert Stam Assignee: Robert Stam
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to CSHARP-1331 Use of SHA256Managed is not FIPS comp... Closed
Epic Link: FIPS mode

 Description   

The implementation of PasswordEvidence uses SHA256Managed and SHA256Managed is not FIPS compliant.

In fact, PasswordEvidence doesn't need to use SHA256 at all. It is only used as an optimization for the Equals method, to avoid having to decrypt the SecureString to compare two passwords.

Equals should be implemented in such a way that two PasswordEvidence instances can be compared without using a non-FIPS compliant method.



 Comments   
Comment by Githook User [ 23/Apr/18 ]

Author:

{'email': 'robert@robertstam.org', 'username': 'rstam', 'name': 'rstam'}

Message: CSHARP-2163: Make PasswordEvidence implementation FIPS compliant.
Branch: v2.6.x
https://github.com/mongodb/mongo-csharp-driver/commit/eb425d98a681ae6ae609631d71d2ded5c3f88c56

Comment by Githook User [ 21/Feb/18 ]

Author:

{'email': 'robert@robertstam.org', 'name': 'rstam', 'username': 'rstam'}

Message: CSHARP-2163: Make PasswordEvidence implementation FIPS compliant.
Branch: master
https://github.com/mongodb/mongo-csharp-driver/commit/b768be43b79c9102abba13d772d8442355883eca

Comment by Robert Stam [ 31/Jan/18 ]

Looks like switching to SHA256Managed to run on .NET Core was an inadvertent regression.

See:

https://jira.mongodb.org/browse/CSHARP-1331

Generated at Wed Feb 07 21:41:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.