[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
  Web www.spinics.net

Re: [GNU Crypto] Passwords Immutable?

See inline.

Casey Marshall wrote:
> Hash: SHA1
> >>>>> "Bryan" == Bryan Hoover <bhoover@xxxxxxxx> writes:
> Bryan> So there may be a couple of minor implementation questions:
> Bryan> 1.  Should Password make a copy?
> I think it should in the constructor, and probably a (byte[],int,int)
> constructor should be added.
> Bryan> 2.  Should SRPClient this.password be char[] or Password?
> I'd say Password, because if Password.destroy() is called we wouldn't
> want a variable to change on us without notice.
> Bryan> Finally, I wasn't sure whether to throw an exception on
> Bryan> password access attempts subsequent to calling destroy().  I do
> Bryan> not.
> Probably an `IllegalStateException' is appropriate when getPassword is
> called on a destroyed object. It's arguably better then letting code
> use erased passwords, and failing in difficult-to-understand ways.
> Bryan> Sorry so wordy.
> Bryan> Feel free to use or not -- though I hope you will.  I can also
> Bryan> add the code to pivot (and whatever else) relative to which
> Bryan> password property use if you want to go with the additional
> Bryan> property option for compatibility.  I had fun doing it, and
> Bryan> will use it in my compile.
> We'd need copyright assignment in order to include these patches. But
> this is a really simple thing to do, so I can implement this myself.
> That is, of course, unless you have a desire to contribute more ;)

Password.java, and patches attached.

I noticed some editor parsing irregularity with SaslConnection.java
probably related to binary/ascii, cr/lf system differences.  So there
are ascii, and binary versions of patches.  On my Freebsd account, I was
okay using the binary patch with SaslConnection.java, and the ascii
patch with SRPClient.java.  Do make back-ups before applying.

For symmetry, I guess, I added a char[] constructor with indexes, and a
byte[] constructor without, as well as the byte[] with, and char[]
without ones.  

A byte[] getBytes() function was also added.

Tested fine with the sourceforge project I'm interfacing it with.

I'll start the copyright assignment process right away.


> - --
> Casey Marshall || csm@xxxxxxx
> Version: GnuPG v1.2.3 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>
> TS50QYsRlWhWcKIKQVgF4so=
> =L6mt

And people flock around the poet and say:  'Sing again soon' - that is,
'May new sufferings torment your soul but your lips be fashioned as
before, for the cry would only frighten us, but the music, that is
blissful.' - (Soren Kierkegaard - Either/Or)


This signature file is generated by Pick-a-Tag !
Written by Jeroen van Vaarsel

Attachment: Password.java
Description: java/

> import javax.security.auth.DestroyFailedException;
<    private char[] password; // the authentication credentials
>    private Password password; // the authentication credentials
>       try {
>         password.destroy();
>       }
>       catch(DestroyFailedException e) {
>         throw new RuntimeException("resetMechanism()", e);
>       }
<       if (DEBUG && debuglevel > 6) debug(TRACE, "Password: \""+new String(password)+"\"");
>       if (DEBUG && debuglevel > 6) debug(TRACE, "Password: \""+new String(password.getPassword())+"\"");
<          try {
<             pBytes = new String(password).getBytes("US-ASCII");
<          } catch (UnsupportedEncodingException x) {
<             throw new SaslException("sendPublicKey()", x);
<          }
>          pBytes = password.getBytes();
<             password = pwdCB.getPassword();
>              password = new Password(pwdCB.getPassword());
<                this.password = ((String) properties.get(Registry.SASL_PASSWORD)).toCharArray();
>                password = new Password(((Password) properties.get(Registry.SASL_PASSWORD)).getPassword());
<                this.password = pwdCB.getPassword();
>                password = new Password(pwdCB.getPassword());
> import gnu.crypto.sasl.srp.Password;
<          properties.put(Registry.SASL_PASSWORD, userInfo.substring(ndx+1));
>          properties.put(Registry.SASL_PASSWORD, new Password(userInfo.substring(ndx+1).toCharArray()));

Attachment: SRPClient.patch
Description: application/unknown-content-type-patch_auto_file

Attachment: SaslConnection.patch
Description: application/unknown-content-type-patch_auto_file

gnu-crypto-discuss mailing list

[Home]     [Gnu Classpath]     [Linux Kernel]     [Linux Cryptography]     [Fedora]     [Fedora Directory]     [Red Hat Development]     [Red Hat 9 Bible]     [Fedora Bible]     [Red Hat 9]     [Network Security Reading]

  Powered by Linux