----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/13252/#review24743 -----------------------------------------------------------
plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java <https://reviews.apache.org/r/13252/#comment48851> What is the impact on upgrades? That is, I already have users with salt length 20. You might have to check with both? Also, you could make it 'final static int' I guess. plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java <https://reviews.apache.org/r/13252/#comment48849> convention is to have the } else { on the same line - Chiradeep Vittal On Aug. 5, 2013, 7:06 p.m., Amogh Vasekar wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/13252/ > ----------------------------------------------------------- > > (Updated Aug. 5, 2013, 7:06 p.m.) > > > Review request for cloudstack and John Burwell. > > > Bugs: https://issues.apache.org/jira/browse/CLOUDSTACK-2312 and > https://issues.apache.org/jira/browse/CLOUDSTACK-2314 > > > Repository: cloudstack-git > > > Description > ------- > > 1. Fix timing attack by using a constant-time comparison function > 2. Increase salt size > 3. Make flow for invalid user go through full normal execution using a fake > password and salt > > > Diffs > ----- > > > plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java > da939273ea10bff3b2687c9684edf8a5d0ab4b2e > > Diff: https://reviews.apache.org/r/13252/diff/ > > > Testing > ------- > > Local environment > > > Thanks, > > Amogh Vasekar > >
