----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/13252/ -----------------------------------------------------------
(Updated Aug. 7, 2013, 7:01 p.m.) Review request for cloudstack and John Kinsella. Changes ------- 1. Added test case to ensure (old) 20-byte salted passwords work 2. Test cases for general authentication 3. Test cases to ensure computation time for all different scenarios are within minutely small range of each other Bugs: https://issues.apache.org/jira/browse/CLOUDSTACK-2312 and https://issues.apache.org/jira/browse/CLOUDSTACK-2314 Repository: cloudstack-git Description ------- 1. Fix timing attack by using a constant-time comparison function 2. Increase salt size 3. Make flow for invalid user go through full normal execution using a fake password and salt Diffs (updated) ----- plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java da939273ea10bff3b2687c9684edf8a5d0ab4b2e plugins/user-authenticators/sha256salted/test/src/com/cloud/server/auth/test/AuthenticatorTest.java 4e23d14fe43b4e334203f48196aced038ca0a196 Diff: https://reviews.apache.org/r/13252/diff/ Testing ------- Local environment Thanks, Amogh Vasekar
