> On Aug. 6, 2013, 8:57 p.m., Chiradeep Vittal wrote: > > plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java, > > line 43 > > <https://reviews.apache.org/r/13252/diff/3/?file=337200#file337200line43> > > > > What is the impact on upgrades? That is, I already have users with salt > > length 20. You might have to check with both? > > Also, you could make it 'final static int' I guess.
Thanks for the comment! Changed "encode" method to refer to length of salt bytes passed instead of static length - old salts can thus still be 20 bytes. This change will avoid a potential IndexOutOfBounds exception. - Amogh ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/13252/#review24743 ----------------------------------------------------------- On Aug. 6, 2013, 9:45 p.m., Amogh Vasekar wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/13252/ > ----------------------------------------------------------- > > (Updated Aug. 6, 2013, 9:45 p.m.) > > > Review request for cloudstack and John Burwell. > > > Bugs: https://issues.apache.org/jira/browse/CLOUDSTACK-2312 and > https://issues.apache.org/jira/browse/CLOUDSTACK-2314 > > > Repository: cloudstack-git > > > Description > ------- > > 1. Fix timing attack by using a constant-time comparison function > 2. Increase salt size > 3. Make flow for invalid user go through full normal execution using a fake > password and salt > > > Diffs > ----- > > > plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java > da939273ea10bff3b2687c9684edf8a5d0ab4b2e > > Diff: https://reviews.apache.org/r/13252/diff/ > > > Testing > ------- > > Local environment > > > Thanks, > > Amogh Vasekar > >
