Re: Binding to GSL library
On Wednesday, 25 November 2015 at 16:45:51 UTC, Radek wrote: i have found bug. It shoul be alias gsl_complex = _gsl_complex; not alias gsl_complex = _gsl_complex*; On Wednesday, 25 November 2015 at 16:35:06 UTC, drug wrote: A little bit offtopic but do you know about https://github.com/abrown25/gsld? It would be nice to join efforts. Sure, I'll share my code :) Ask me next month. That what I'm doing is my student project and first i need to complete it :) Hi, I've been a little slow updating that repository because of work, and I got a little stuck with function pointers, I hope to get back to it soon. It would be lovely if it's all finished by that time :)
Re: Password Storage
On Friday, 27 November 2015 at 00:17:34 UTC, brian wrote:
I'm starting to build a small web-based application where I
would like to authenticate users, and hence need to store
passwords.
After reading this:
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
and many other posts that I zombie-surfed to from that page,
I'm now fearful of doing this badly. :(
My reading of that post was that I should be storing things as:
hash = md5('salty-' + password)
So when a user tries to authenticate, I need to:
1) validate the user id
2) find the unique "salt" I generated for that user when they
registered
3) pre- or post-pend the salt to the password entered
(apparently there is a difference??)
4) md5 the lot
5) check this md5(salt+password) against what I have stored.
So for each user, I need to store in my database:
UserName/UserID
Salt
Hashed_Password
Can the developers in the room confirm if this is the correct
approach?
Are there examples of betters ways of doing this?
Regards
Brian
Do not use MD5 or SHA for hashing passwords. Use PBKDF2, bcrypt,
or maybe scrypt. There should be C libraries available for those
algorithms; use them.
More info:
http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846
Re: Something about Chinese Disorder Code
On Thursday, 26 November 2015 at 09:59:01 UTC, Marc Schütz wrote: No, I'm talking specifically about the cast in there, not the call to setlocale(). Does it still work if you replace this: setlocale(0, cast(char*)"china"); by that: setlocale(0, "china"); ? yes Of course,it works well :) I copy the code from internet and not notice that,thank you
Password Storage
I'm starting to build a small web-based application where I would
like to authenticate users, and hence need to store passwords.
After reading this:
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
and many other posts that I zombie-surfed to from that page, I'm
now fearful of doing this badly. :(
My reading of that post was that I should be storing things as:
hash = md5('salty-' + password)
So when a user tries to authenticate, I need to:
1) validate the user id
2) find the unique "salt" I generated for that user when they
registered
3) pre- or post-pend the salt to the password entered (apparently
there is a difference??)
4) md5 the lot
5) check this md5(salt+password) against what I have stored.
So for each user, I need to store in my database:
UserName/UserID
Salt
Hashed_Password
Can the developers in the room confirm if this is the correct
approach?
Are there examples of betters ways of doing this?
Regards
Brian
Re: Password Storage
On Friday, 27 November 2015 at 00:50:25 UTC, brian wrote: Thanks for the blatant faux pas. I wasn't going to use MD5, I just meant "hash it somehow", which was not apparent from my question. My bad. Algorithm aside, the rest of that approach seems sensible then? The hash implementation was probably going to be a part 2 of this question. I'd use dcrypt (https://github.com/puzzlehawk/dcrypt) to keep all the d-goodness, but according to the author, that's not "production ready" yet. In lieu of that, I'll have a gander at those libraries you mentioned. Yea. I've used bcrypt a few times; it's usually just using the hash function to hash the passwords, then the check function to check them, and that's it (bcrypt stores the salt along with the password). I don't know if I'd trust dcrypt yet. No offence to the authors, but I doubt that it has gone through the review that more popular C libraries have.
Re: Password Storage
On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote:
...
At no time is the password ever sent over the network,
encrypted or not.
--T
So, I understand what you are trying to say, but I'm stuck on the
specifics of implementation, if you'll bear with me.
For authentication, the password shouldn't even be sent over
the wire. Instead, the server (which knows the correct
password) should send a challenge to the client
So my app is web based, so I don't really have a "client-server"
model you are suggesting.
I'm building it using Vibe.d with a mongodb backend, so hopefully
the "client" will be a web-browser (or in future iterations, a
mobile device - let's ignore that for now).
random number produced by a good RNG -- which is different each
time the user authenticates)
I'm not sure why I need this, so I'm going to break down and
example.
Bob comes in with password "Password01"
Once he enters "Password01" I want to:
Add a string to it:
"StaticRandomString~Password01"
Then hash it:
hash("StaticRandomString~Password01")
which gives me
"I#$%am%^(**&"
Then to verify Bob is Bob I need to verify
"I#$%am%^(**&" against something in the database?
So in my DB I need to store :
"I#$%am%^(**&"
If *this* is the scenario, then the "StaticRandomString" needs to
be the same all the time, so I need to store that in the DB too,
no?
So now my DB contains:
"StaticRandomString"
"I#$%am%^(**&"
Your solution was to random generate the random string at
verification time.
If I do that I have:
"RunTimeRandomString~Password01"
Then hash that to get
"I#$%Too$%456^(am(*$(**&"
However I can't store that in the DB, because the
"RunTimeRandomString"
which will produce a different hashed value. Sooo, I need to
change this scenario to:
Get the Password from the client/user and hash it. Then add on
the randomness:
"RunTimeRandomString~hashed(clientEntered-Password01)"
Get that answer back.
Get the password from the server/database and hash it. Add on the
same randomness.
"RunTimeRandomString~hashed(actualPassword-Password01)"
Thus in my db I only need to stored
hashed(Password01)
Compare results.
...
Profit.
Am I correct in these descriptions?
Which is better?
I know this is pedantic and not very language specific, but this
is the crux of what I want to know.
Doing it is easy. The "making sure I'm doing it right" bit is
hard...
Re: Password Storage
On Friday, 27 November 2015 at 00:42:09 UTC, Alex Parrill wrote:
On Friday, 27 November 2015 at 00:17:34 UTC, brian wrote:
I'm starting to build a small web-based application where I
would like to authenticate users, and hence need to store
passwords.
After reading this:
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
and many other posts that I zombie-surfed to from that page,
I'm now fearful of doing this badly. :(
My reading of that post was that I should be storing things as:
hash = md5('salty-' + password)
So when a user tries to authenticate, I need to:
1) validate the user id
2) find the unique "salt" I generated for that user when they
registered
3) pre- or post-pend the salt to the password entered
(apparently there is a difference??)
4) md5 the lot
5) check this md5(salt+password) against what I have stored.
So for each user, I need to store in my database:
UserName/UserID
Salt
Hashed_Password
Can the developers in the room confirm if this is the correct
approach?
Are there examples of betters ways of doing this?
Regards
Brian
Do not use MD5 or SHA for hashing passwords. Use PBKDF2,
bcrypt, or maybe scrypt. There should be C libraries available
for those algorithms; use them.
More info:
http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846
Thanks for the blatant faux pas.
I wasn't going to use MD5, I just meant "hash it somehow", which
was not apparent from my question. My bad.
Algorithm aside, the rest of that approach seems sensible then?
The hash implementation was probably going to be a part 2 of this
question.
I'd use dcrypt (https://github.com/puzzlehawk/dcrypt) to keep all
the d-goodness, but according to the author, that's not
"production ready" yet.
In lieu of that, I'll have a gander at those libraries you
mentioned.
Re: Password Storage
On Fri, Nov 27, 2015 at 12:17:32AM +, brian via Digitalmars-d-learn wrote:
> I'm starting to build a small web-based application where I would like
> to authenticate users, and hence need to store passwords.
>
> After reading this:
> http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
> and many other posts that I zombie-surfed to from that page, I'm now
> fearful of doing this badly. :(
>
> My reading of that post was that I should be storing things as:
>
> hash = md5('salty-' + password)
>
> So when a user tries to authenticate, I need to:
> 1) validate the user id
> 2) find the unique "salt" I generated for that user when they registered
> 3) pre- or post-pend the salt to the password entered (apparently there is a
> difference??)
> 4) md5 the lot
> 5) check this md5(salt+password) against what I have stored.
>
> So for each user, I need to store in my database:
> UserName/UserID
> Salt
> Hashed_Password
>
> Can the developers in the room confirm if this is the correct approach?
> Are there examples of betters ways of doing this?
[...]
For authentication, the password shouldn't even be sent over the wire.
Instead, the server (which knows the correct password) should send a
challenge to the client (i.e., a large random number produced by a good
RNG -- which is different each time the user authenticates). The client
should then prepend this challenge to the password typed in by the user,
and compute the hash of the result. This hash is sent back to the
server, which does the same computation on its own, and checks whether
the two hash values match. Provided you're using a good cryptographic
hash, the only way the client will be able to provide the right answer
is if the user actually knows the password. At no time is the password
ever sent over the network, encrypted or not.
--T
Re: Multidimensional AA question
On Thursday, 26 November 2015 at 17:27:34 UTC, André wrote:
Hi,
I have a maybe trivial question on how to insert or update a
given entry in a multidimensional AA. So I have this AA:
/// language, chapter, section. Content is a magic struct
Content[int][string][string] contentAA;
In some part of my code I want to either add a complete new
entry or update an existing one. I just came up with this
solution but it seems complex to me:
string language, chapter;
int section;
Content* content;
if (auto l = language in contentAA) {
if (auto c = chapter in *l) {
content = section in *c;
}
}
if (!content) {
contentAA[language][chapter][section] = Content();
content = [language][chapter][section];
}
/// work with content regardless whether it is updated or
newly inserted
My question now is: is there some more elegant solution to
achieve this? Something like in C++ when you have std::map's of
std::map's and just access the elements and the entry is
created implicitly? Basically I would want to just have this
line working out of the box:
content = [language][chapter][section];
.. and the AA would make sure the element is created if it
didn't exist before. I know I could create a function for that
but I am looking for a standard approach that already exists.
Thanks!
André
AA are weird in that AFAIK you need to "initialise" them before
you try to look suff up in them else they crash. i.e.
int[string] foo;
// auto e = "1" in foo; // crash AA not initialised
foo[ "blah"] = 0;
foo.remove("blah");
auto e = "1" in foo; //doesn't crash
have you tried using aa.get(key,default);?
i.e. contentAA.get(language,"english").get(section,
"somedefault").get(section,0);
other than that are you likey to have missing sections? (i.e. do
you need an AA for section or can you just use an array?)
similarly; does chapter need to be indexed by string? can you get
away with indexing by chapter number and storing an array of
chapter names and looking that up when needed?
Nic
Re: Password Storage
On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote: For authentication, the password shouldn't even be sent over the wire. Instead, the server (which knows the correct password) should send a challenge to the client (i.e., a large random number produced by a good RNG -- which is different each time the user authenticates). The client should then prepend this challenge to the password typed in by the user, and compute the hash of the result. This hash is sent back to the server, which does the same computation on its own, and checks whether the two hash values match. Provided you're using a good cryptographic hash, the only way the client will be able to provide the right answer is if the user actually knows the password. At no time is the password ever sent over the network, encrypted or not. --T The issue I see with this is that the server has to _know_ the password in order to hash it with the challenge. If the server is compromised, guess who else knows the password now? Some kind of public-key encryption/signing might work, though.
Re: Password Storage
On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote: For authentication, the password shouldn't even be sent over the wire. Instead, the server (which knows the correct password) should send a challenge to the client Most web setups can't rely on that tho cuz of the lameness of client side scripting... But at least if the password is sent over https you don't have to worry too much about the wire.
Program exited with code -11
Hello guys.
I am beginner with D and a hobbyist in general when it comes to
programming. I am following an SFML tutorial in C++ and trying to
"translate it" to D (at least the parts I think I understand). I
am using Derelict SFML2 bindgings to CSFML.
First I tried to do it procedural way and it works fine:
http://pastebin.com/6PjRCUHp
Then I tried an OOP way as per tutorial:
app.d =
module app;
import notquiteciv.game;
void main()
{
Game game = new Game();
game.gameLoop();
}
game.d = http://pastebin.com/ps9mMxGf
When I run "dub run" or "dub run --force", I get this:
Running ./notquiteciv
Program exited with code -11
$ lldb ./notquiteciv (run)
Process 81278 launched: './notquiteciv' (x86_64)
Process 81278 stopped
* thread #1: tid = 0x14dae3, 0x, queue =
'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1,
address=0x0)
frame #0: 0x
error: memory read failed for 0x0
I am stuck. Can you give me a hint regarding this?
Thank you.
Re: Program exited with code -11
On 26/11/15 9:12 PM, Alex wrote:
Hello guys.
I am beginner with D and a hobbyist in general when it comes to
programming. I am following an SFML tutorial in C++ and trying to
"translate it" to D (at least the parts I think I understand). I am
using Derelict SFML2 bindgings to CSFML.
First I tried to do it procedural way and it works fine:
http://pastebin.com/6PjRCUHp
Then I tried an OOP way as per tutorial:
app.d =
module app;
import notquiteciv.game;
void main()
{
Game game = new Game();
game.gameLoop();
}
game.d = http://pastebin.com/ps9mMxGf
When I run "dub run" or "dub run --force", I get this:
Running ./notquiteciv
Program exited with code -11
$ lldb ./notquiteciv (run)
Process 81278 launched: './notquiteciv' (x86_64)
Process 81278 stopped
* thread #1: tid = 0x14dae3, 0x, queue =
'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
frame #0: 0x
error: memory read failed for 0x0
I am stuck. Can you give me a hint regarding this?
Thank you.
You forgot to load the pointers to the functions in the shared library :)
https://github.com/DerelictOrg/DerelictSFML2
Re: Program exited with code -11
On Thursday, 26 November 2015 at 08:15:02 UTC, Rikki Cattermole wrote: You forgot to load the pointers to the functions in the shared library :) https://github.com/DerelictOrg/DerelictSFML2 OMG. I am embarrassed. Thank you very much.
Re: dstep problem: "fatal error: 'limits.h' file not found"
On Thursday, 26 November 2015 at 07:28:37 UTC, Jacob Carlborg wrote: Hmm, I was pretty sure I fixed this, but perhaps not for that file. Please report an issue. In the meantime there's a workaround in the documentation [1], second paragraph, perhaps not very clear though. [1] https://github.com/jacob-carlborg/dstep#libclang OK, I'll do that this evening once I've had an opportunity to check the workaround etc. Thanks!
optlink windows warning 178
Hello, I am trying to build against the version 3.2.1 of gtk bindings in the dub repository. The build system has built the gtkd-3.lib library file, but doesn't not appear to want to link it to anything else. It gets stuck forever linking, but issues this warning: ..\..\Users\J.Spashett\AppData\Roaming\dub\packages\gtk-d-3.2.1\gtkd-3.lib Warning 178: .LIB pagesize exceeds 512
Re: optlink windows warning 178
On Thursday, 26 November 2015 at 11:00:28 UTC, SpacenJasset wrote: Hello, I am trying to build against the version 3.2.1 of gtk bindings in the dub repository. The build system has built the gtkd-3.lib library file, but doesn't not appear to want to link it to anything else. It gets stuck forever linking, but issues this warning: ..\..\Users\J.Spashett\AppData\Roaming\dub\packages\gtk-d-3.2.1\gtkd-3.lib Warning 178: .LIB pagesize exceeds 512 I had the same issue a few weeks ago : https://github.com/gtkd-developers/GtkD/issues/133 On my case optlink crashes instead of getting stuck. What I end doing is following the "Windows instructions" of his wiki, and build by hand with dmd . I try instruct to dub, on windows, to not grab gtkd from dub repository and use directly gtkd-3.lib that I precompiled, but I don't have any success (And I asked how fix this on this forum, here : http://forum.dlang.org/thread/begtftarmwztbiqfu...@forum.dlang.org )
Multidimensional AA question
Hi,
I have a maybe trivial question on how to insert or update a
given entry in a multidimensional AA. So I have this AA:
/// language, chapter, section. Content is a magic struct
Content[int][string][string] contentAA;
In some part of my code I want to either add a complete new entry
or update an existing one. I just came up with this solution but
it seems complex to me:
string language, chapter;
int section;
Content* content;
if (auto l = language in contentAA) {
if (auto c = chapter in *l) {
content = section in *c;
}
}
if (!content) {
contentAA[language][chapter][section] = Content();
content = [language][chapter][section];
}
/// work with content regardless whether it is updated or
newly inserted
My question now is: is there some more elegant solution to
achieve this? Something like in C++ when you have std::map's of
std::map's and just access the elements and the entry is created
implicitly? Basically I would want to just have this line working
out of the box:
content = [language][chapter][section];
.. and the AA would make sure the element is created if it didn't
exist before. I know I could create a function for that but I am
looking for a standard approach that already exists.
Thanks!
André
Re: Binding to GSL library
On 11/25/15 17:11, Radek via Digitalmars-d-learn wrote:
> Hi, I'm making a trying to bind a gsl library
> http://www.gnu.org/software/gsl/ so far it was working but when i started
> binding complex numbers some functions won't work, like trigonometric
> functions - called they return null.
>
> in gsl code complex struct looks like:
>
> typedef struct
> {
> double dat[2];
> }
> gsl_complex;
>
>
> my complex struct looks like that:
>
> struct _gsl_complex {
> double dat[2];
> }
> alias gsl_complex = _gsl_complex*;
>
> So, what im doing wrong?
That's not a struct but a pointer to a struct.
Also, you can just drop the `typedef` hack (which is used
in C to avoid having to type the 'struct' keyword), so:
struct gsl_complex {
double[2] dat;
}
artur
Re: dstep problem: "fatal error: 'limits.h' file not found"
On 2015-11-26 10:55, Joseph Rushton Wakeling wrote: OK, I'll do that this evening once I've had an opportunity to check the workaround etc. Thanks! Of course, a pull request is even more welcome. Should be very simple to fix. -- /Jacob Carlborg
Re: Password Storage
On Fri, Nov 27, 2015 at 03:09:38AM +, brian via Digitalmars-d-learn wrote: > On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote: > ... > >At no time is the password ever sent over the network, encrypted or not. > > > >--T > So, I understand what you are trying to say, but I'm stuck on the > specifics of implementation, if you'll bear with me. > > >For authentication, the password shouldn't even be sent over the > >wire. Instead, the server (which knows the correct password) should > >send a challenge to the client > > So my app is web based, so I don't really have a "client-server" model > you are suggesting. > I'm building it using Vibe.d with a mongodb backend, so hopefully the > "client" will be a web-browser (or in future iterations, a mobile > device - let's ignore that for now). In this case, the "client" would be the web browser. I'm not too familiar with what a web browser might provide javascript on the page, but if javascript has a standard hashing function that could be used for this purpose. > >random number produced by a good RNG -- which is different each time > >the user authenticates) > I'm not sure why I need this, so I'm going to break down and example. [...] Based on others' reply, maybe the approach I'm suggesting may not be the best implementation for your case, but in any case, here is how it would work: 1) The server stores password01 in the user database. 2) A client (browser) connects to the server and claims to be a valid user. 3) The server generates a random number, let's call it X, and sends X to the client. (X is the "challenge".) This is done each time somebody tries to authenticate with the server (the value of X will be different each time). 4) The client receives X, prepends it to the password that user types in (presumably the same as password01). The client then computes hash(X + pasword) and sends the result, let's call it Y, back to the server. 5) Meanwhile, the server also computes hash(X + password01), and obtains a value Z. 6) The server receives Y from the client, and compares Y with Z. If Y==Z, then it proves that the client knows the correct password, even though the password itself is never transmitted over the network, because the only way the client can know the value of Z is if it knows the correct password (the user entered the correct password) and does the same computation as the server. If Y!=Z, then the password is incorrect and the server rejects the login attempt. The reason for step (3) is to prevent replay attacks: if the challenge is always the same, then a man-in-the-middle attacker can capture the packets between server and client, and replay the packets containing the client's response to the server later, thus obtaining access to user's account. Since the server's challenge is a random number that's different every time, the attacker won't be able to provide the correct response by replaying a previous correct answer. The reason for step (4) is to prevent an eavesdropper from recovering the password by man-in-the-middle attacks. If the password is sent in plaintext, an attacker that compromised a router between the client and the server (or runs a transparent proxy masquerading as the real server) would be able to read the password off the packet while it's in transit. Even if the password is sent in encrypted form, an attacker who obtains a copy of the ciphertext could run brute-force attacks to recover the plaintext password. By only transmitting a hash (presumably a 1-way hash) back to the server, even if an attacker somehow manages to get a hold of the hash value, it won't actually reveal the password. T -- The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world. -- Anonymous
Derelict3 object.Error@(0): Access Violation?
import std.stdio;
import derelict.opengl3.gl3;
import derelict.sdl2.sdl;
pragma(lib, "DerelictUtil.lib");
pragma(lib, "DerelictGL3.lib");
pragma(lib, "derelictSDL2.lib");
void main(){
DerelictGL3.load();
DerelictGL3.reload();
//DerelictSDL2.load();
writeln("Fred is nigh on impossible to
configure");
}
this is all the code I have, and I get an object.Error@(0):
Access Violation.
I have looked all over the internet and I am unable to find a fix
for this.
Any ideas on how to fix this or what is the cause?
Re: Derelict3 object.Error@(0): Access Violation?
On 27/11/15 8:48 PM, Alexander wrote:
import std.stdio;
import derelict.opengl3.gl3;
import derelict.sdl2.sdl;
pragma(lib, "DerelictUtil.lib");
pragma(lib, "DerelictGL3.lib");
pragma(lib, "derelictSDL2.lib");
void main(){
DerelictGL3.load();
DerelictGL3.reload();
//DerelictSDL2.load();
writeln("Fred is nigh on impossible to
configure");
}
this is all the code I have, and I get an object.Error@(0): Access
Violation.
I have looked all over the internet and I am unable to find a fix for this.
Any ideas on how to fix this or what is the cause?
When you activate an OpenGL context you reload it. You do not do this
when one is not activated.
