Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CC1C010D49 for ; Mon, 5 Aug 2013 19:06:56 +0000 (UTC) Received: (qmail 1881 invoked by uid 500); 5 Aug 2013 19:06:56 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 1827 invoked by uid 500); 5 Aug 2013 19:06:55 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 1814 invoked by uid 500); 5 Aug 2013 19:06:54 -0000 Delivered-To: apmail-incubator-cloudstack-dev@incubator.apache.org Received: (qmail 1809 invoked by uid 99); 5 Aug 2013 19:06:53 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Aug 2013 19:06:53 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id CA2CB1D1E4E; Mon, 5 Aug 2013 19:06:51 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============2187815177177119117==" MIME-Version: 1.0 Subject: Re: Review Request 13252: SHA256 timing attack and brute force attack fix From: "Amogh Vasekar" To: "John Burwell" Cc: "cloudstack" , "Amogh Vasekar" Date: Mon, 05 Aug 2013 19:06:51 -0000 Message-ID: <20130805190651.5384.18256@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org Auto-Submitted: auto-generated Sender: "Amogh Vasekar" X-ReviewGroup: cloudstack X-ReviewRequest-URL: https://reviews.apache.org/r/13252/ X-Sender: "Amogh Vasekar" References: <20130805185758.5384.78769@reviews.apache.org> In-Reply-To: <20130805185758.5384.78769@reviews.apache.org> Reply-To: "Amogh Vasekar" --===============2187815177177119117== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/13252/ ----------------------------------------------------------- (Updated Aug. 5, 2013, 7:06 p.m.) Review request for cloudstack and John Burwell. Changes ------- Getting the diff right Bugs: https://issues.apache.org/jira/browse/CLOUDSTACK-2312 and https://issues.apache.org/jira/browse/CLOUDSTACK-2314 Repository: cloudstack-git Description ------- 1. Fix timing attack by using a constant-time comparison function 2. Increase salt size 3. Make flow for invalid user go through full normal execution using a fake password and salt Diffs (updated) ----- plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java da939273ea10bff3b2687c9684edf8a5d0ab4b2e Diff: https://reviews.apache.org/r/13252/diff/ Testing ------- Local environment Thanks, Amogh Vasekar --===============2187815177177119117==--