Summary
MD5 Hashing Violation was found in Mongo Driver C#.
See Microsoft security rule CA5351
https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5351
The hashing algorithm used, MD5, has been found by researchers to be unsafe for protecting sensitive data with today's technology.
Please provide the version of the driver. If applicable, please provide the MongoDB server version and topology (standalone, replica set, or sharded cluster).
.NET Driver Version 2.14.1
How to Reproduce
Steps to reproduce. If possible, please include a Short, Self Contained, Correct (Compilable), Example.
Additional Background
Please provide any additional background information that may be helpful in diagnosing the bug.
**Line affected in **
*AuthenticationHelper.cs*
mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/AuthenticationHelper.cs
private static string MongoPasswordDigest(string username, byte[] passwordBytes)
{
var prefixString = username + ":mongo:";
var prefixBytes = Utf8Encodings.Strict.GetBytes(prefixString);
var buffer = new byte[prefixBytes.Length + passwordBytes.Length];
var bufferHandle = GCHandle.Alloc(buffer, GCHandleType.Pinned);
try
{
Buffer.BlockCopy(prefixBytes, 0, buffer, 0, prefixBytes.Length);
Buffer.BlockCopy(passwordBytes, 0, buffer, prefixBytes.Length, passwordBytes.Length);
using (var md5 = MD5.Create())
{ var hash = md5.ComputeHash(buffer); return BsonUtils.ToHexString(hash); }}
finally
}
- duplicates
-
CSHARP-3729 Connection fails when using authentication while FIPS enabled
- Closed