cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Amogh Vasekar" <amogh.vase...@citrix.com>
Subject Re: Review Request 13252: SHA256 timing attack and brute force attack fix
Date Mon, 05 Aug 2013 19:06:51 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13252/
-----------------------------------------------------------

(Updated Aug. 5, 2013, 7:06 p.m.)


Review request for cloudstack and John Burwell.


Changes
-------

Getting the diff right 


Bugs: https://issues.apache.org/jira/browse/CLOUDSTACK-2312 and https://issues.apache.org/jira/browse/CLOUDSTACK-2314


Repository: cloudstack-git


Description
-------

1. Fix timing attack by using a constant-time comparison function
2. Increase salt size
3. Make flow for invalid user go through full normal execution using a fake password and salt


Diffs (updated)
-----

  plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java
da939273ea10bff3b2687c9684edf8a5d0ab4b2e 

Diff: https://reviews.apache.org/r/13252/diff/


Testing
-------

Local environment


Thanks,

Amogh Vasekar


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message