Todd Lipcon has posted comments on this change. Change subject: [security] Add per-connection nonce for Kerberos replay resistance ......................................................................
Patch Set 5: (2 comments) http://gerrit.cloudera.org:8080/#/c/6137/5/src/kudu/security/crypto.cc File src/kudu/security/crypto.cc: Line 41: const size_t kNonceSize = 8; http://security.stackexchange.com/questions/1952/how-long-should-a-random-nonce-be has some people suggesting more than 64 bits are a good idea. Would it cost us anything to go to 16 bytes just for kicks? PS5, Line 250: s->resize(kNonceSize); : OPENSSL_RET_NOT_OK(RAND_bytes(reinterpret_cast<unsigned char*>(&s->front()), s->size()), : "failed to generate nonce"); : if you want to avoid the C++ sketchiness, why not just add a local buffer? char buf[kNonceSize]; ...RAND_BYTES... s->assign(buf, kNonceSize) ? I don't think the extra copy costs anything. -- To view, visit http://gerrit.cloudera.org:8080/6137 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: If0fb433896963be5e81d349ebf3a044a458e6627 Gerrit-PatchSet: 5 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
