[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU Crypto] Passwords Immutable?
From: |
Bryan Hoover |
Subject: |
Re: [GNU Crypto] Passwords Immutable? |
Date: |
Thu, 15 Apr 2004 19:34:20 -0400 |
See inline.
Casey Marshall wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >>>>> "Bryan" == Bryan Hoover <address@hidden> writes:
>
> Bryan> So there may be a couple of minor implementation questions:
>
> Bryan> 1. Should Password make a copy?
>
> I think it should in the constructor, and probably a (byte[],int,int)
> constructor should be added.
>
> Bryan> 2. Should SRPClient this.password be char[] or Password?
>
> I'd say Password, because if Password.destroy() is called we wouldn't
> want a variable to change on us without notice.
>
> Bryan> Finally, I wasn't sure whether to throw an exception on
> Bryan> password access attempts subsequent to calling destroy(). I do
> Bryan> not.
>
> Probably an `IllegalStateException' is appropriate when getPassword is
> called on a destroyed object. It's arguably better then letting code
> use erased passwords, and failing in difficult-to-understand ways.
>
> Bryan> Sorry so wordy.
>
> Bryan> Feel free to use or not -- though I hope you will. I can also
> Bryan> add the code to pivot (and whatever else) relative to which
> Bryan> password property use if you want to go with the additional
> Bryan> property option for compatibility. I had fun doing it, and
> Bryan> will use it in my compile.
>
> We'd need copyright assignment in order to include these patches. But
> this is a really simple thing to do, so I can implement this myself.
> That is, of course, unless you have a desire to contribute more ;)
Password.java, and patches attached.
I noticed some editor parsing irregularity with SaslConnection.java
probably related to binary/ascii, cr/lf system differences. So there
are ascii, and binary versions of patches. On my Freebsd account, I was
okay using the binary patch with SaslConnection.java, and the ascii
patch with SRPClient.java. Do make back-ups before applying.
For symmetry, I guess, I added a char[] constructor with indexes, and a
byte[] constructor without, as well as the byte[] with, and char[]
without ones.
A byte[] getBytes() function was also added.
Tested fine with the sourceforge project I'm interfacing it with.
I'll start the copyright assignment process right away.
Bryan
> - --
> Casey Marshall || address@hidden
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>
>
> iD8DBQFAfbIrgAuWMgRGsWsRAjvEAJoD/i9gXcuJJhR3ROOOtwAJiTiwVACdHDLy
> TS50QYsRlWhWcKIKQVgF4so=
> =L6mt
> -----END PGP SIGNATURE-----
--
And people flock around the poet and say: 'Sing again soon' - that is,
'May new sufferings torment your soul but your lips be fashioned as
before, for the cry would only frighten us, but the music, that is
blissful.' - (Soren Kierkegaard - Either/Or)
http://www.wecs.com/content.htm
This signature file is generated by Pick-a-Tag !
Written by Jeroen van Vaarsel
http://www.google.com/search?hl=en&ie=ISO-8859-1&q=pick-a-tag
Password.java
Description: java/
78a79
> import javax.security.auth.DestroyFailedException;
113c114
< private char[] password; // the authentication credentials
---
> private Password password; // the authentication credentials
197a199,206
>
> try {
> password.destroy();
> }
> catch(DestroyFailedException e) {
> throw new RuntimeException("resetMechanism()", e);
> }
>
446c455
< if (DEBUG && debuglevel > 6) debug(TRACE, "Password: \""+new
String(password)+"\"");
---
> if (DEBUG && debuglevel > 6) debug(TRACE, "Password: \""+new
> String(password.getPassword())+"\"");
522,526c531
< try {
< pBytes = new String(password).getBytes("US-ASCII");
< } catch (UnsupportedEncodingException x) {
< throw new SaslException("sendPublicKey()", x);
< }
---
> pBytes = password.getBytes();
659c664
< password = pwdCB.getPassword();
---
> password = new Password(pwdCB.getPassword());
676c681
< this.password = ((String)
properties.get(Registry.SASL_PASSWORD)).toCharArray();
---
> password = new Password(((Password)
> properties.get(Registry.SASL_PASSWORD)).getPassword());
680c685
< this.password = pwdCB.getPassword();
---
> password = new Password(pwdCB.getPassword());
51a52
> import gnu.crypto.sasl.srp.Password;
106c107
< properties.put(Registry.SASL_PASSWORD, userInfo.substring(ndx+1));
---
> properties.put(Registry.SASL_PASSWORD, new
> Password(userInfo.substring(ndx+1).toCharArray()));
SRPClient.patch
Description: application/unknown-content-type-patch_auto_file
SaslConnection.patch
Description: application/unknown-content-type-patch_auto_file
- [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/04/12
- Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/04/12
- Re: [GNU Crypto] Passwords Immutable?, Matthew Sackman, 2004/04/12
- Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/04/12
- Re: [GNU Crypto] Passwords Immutable?, Matthew Sackman, 2004/04/12
- Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/04/12
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/04/14
- Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/04/14
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/04/14
- Re: [GNU Crypto] Passwords Immutable?,
Bryan Hoover <=
- Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/04/20
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/04/21
- Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/04/21
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/04/21
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/04/22
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/04/22
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/04/23
- Re: [GNU Crypto] Passwords Immutable?, Matthew Sackman, 2004/04/16
- Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/04/16
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/04/16