Return-Path: 
 <dev-return-68939-apmail-cloudstack-dev-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-dev-archive@www.apache.org
Delivered-To: apmail-cloudstack-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 560DF17C98
	for <apmail-cloudstack-dev-archive@www.apache.org>;
 Wed, 14 Jan 2015 10:38:24 +0000 (UTC)
Received: (qmail 47673 invoked by uid 500); 14 Jan 2015 10:38:20 -0000
Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org
Received: (qmail 47616 invoked by uid 500); 14 Jan 2015 10:38:20 -0000
Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:dev@cloudstack.apache.org>
List-Id: <dev.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list dev@cloudstack.apache.org
Received: (qmail 47605 invoked by uid 99); 14 Jan 2015 10:38:20 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Jan 2015 10:38:20 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW
X-Spam-Check-By: apache.org
Received-SPF: error (nike.apache.org: local policy)
Received: from [74.125.82.182] (HELO mail-we0-f182.google.com) (74.125.82.182)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Jan 2015 10:37:55 +0000
Received: by mail-we0-f182.google.com with SMTP id w62so7886379wes.13
        for <dev@cloudstack.apache.org>; Wed, 14 Jan 2015 02:36:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:content-type;
        bh=j0nISVU0ppynY6vJ/tD6tDxeixqzllSvCn2ejF1mVhM=;
        b=mk6MekBESS3EOM98SrTiKPZj3TrD72yVQQL2FTZ35iyS17OxXaWG3ZMSBVMsDbmqER
         uuc/2RVR3B11oXfzrBv6Gi31LF4rKKo0IR+CyoeM2Z/G+IgHBVe5OWhbfrJX97g3aB5A
         arVs2m53G/O2EfgE5OU0vzizkFm+NgI/18KfcrUuH4J8jIfT7v4e4gVGvfHTFAO/WBfY
         20znVQWNhT4FiIqN+CKuGrPrLY0JBVUJ8StdCA5RvTiOvXqJp+oPxpH3sIOx0MfLeSgu
         NIeMZdg2EVz4wKuoiEZF1WQHOBODGRLDYjFyQ2XRrczPTe7jZB84QbfbuhOTUfNI0Frx
         T0oQ==
X-Gm-Message-State: 
 ALoCoQmPG8eu8NRLpWbk2rbMJVCTB9vl+yh9j4hUWXiZ1P2KngVHUVdBATm694CFTb5T8i1sM/Rn
MIME-Version: 1.0
X-Received: by 10.180.72.33 with SMTP id a1mr15748987wiv.18.1421231808068;
 Wed, 14 Jan 2015 02:36:48 -0800 (PST)
Received: by 10.194.97.145 with HTTP; Wed, 14 Jan 2015 02:36:48 -0800 (PST)
X-Originating-IP: [194.88.192.200]
In-Reply-To: <git-pr-65-cloudstack@git.apache.org>
References: <git-pr-65-cloudstack@git.apache.org>
Date: Wed, 14 Jan 2015 11:36:48 +0100
Message-ID: 
 <CAJwCgu9MB_n6a7xnr3Pq7N1mFMhP5VSf=hmd+UjdWf7Bd4R1JA@mail.gmail.com>
Subject: Re: [GitHub] cloudstack pull request: Use constant-time comparison
 functions wh...
From: Pierre-Yves Ritschard <pyr@spootnik.org>
To: dev@cloudstack.apache.org
Content-Type: multipart/alternative; boundary=001a11c24cbc1053c4050c9a5130
X-Virus-Checked: Checked by ClamAV on apache.org

--001a11c24cbc1053c4050c9a5130
Content-Type: text/plain; charset=UTF-8

I'll note here that this can be applied to 4.4 and 4.3 as well, modulo some
simple changes.

On Wed, Jan 14, 2015 at 11:32 AM, pyr <git@git.apache.org> wrote:

> GitHub user pyr opened a pull request:
>
>     https://github.com/apache/cloudstack/pull/65
>
>     Use constant-time comparison functions when checking signatures
>
>     This limits the likeliness of timing attacks against the API.
>     See http://codahale.com/a-lesson-in-timing-attacks/ for the
>     full rationale.
>
> You can merge this pull request into a Git repository by running:
>
>     $ git pull https://github.com/exoscale/cloudstack
> feature/constant-time
>
> Alternatively you can review and apply these changes as the patch at:
>
>     https://github.com/apache/cloudstack/pull/65.patch
>
> To close this pull request, make a commit to your master/trunk branch
> with (at least) the following in the commit message:
>
>     This closes #65
>
> ----
> commit 9b4e39e837af498599859c4a6687eb8bf9f8ad89
> Author: Pierre-Yves Ritschard <pyr@spootnik.org>
> Date:   2015-01-14T10:27:35Z
>
>     Use constant-time comparison functions when checking signatures
>
>     This limits the likeliness of timing attacks against the API.
>     See http://codahale.com/a-lesson-in-timing-attacks/ for the
>     full rationale.
>
>     Conflicts:
>         server/src/com/cloud/api/ApiServer.java
>         server/src/com/cloud/user/AccountManagerImpl.java
>
> ----
>
>
> ---
> If your project is set up for it, you can reply to this email and have your
> reply appear on GitHub as well. If your project does not have this feature
> enabled and wishes so, or if the feature is enabled but not working, please
> contact infrastructure at infrastructure@apache.org or file a JIRA ticket
> with INFRA.
> ---
>

--001a11c24cbc1053c4050c9a5130--