eudoxia0 / cl-pass Goto Github PK
View Code? Open in Web Editor NEWPassword hashing and verification library
Password hashing and verification library
Are you planning to implement the Scrypt algorithm or are you aware of any implementations for Common Lisp?
#'salt is not exported, and as such, the user cannot hash a password with the recommended same length salt as the hash. Please export salt.
The random state is not initialized causing the salt value to be the same after every restart.
This ccl -e ' (ql:quickload :cl-pass)' -e '(print (cl-pass:hash "123"))' -e '(quit)'
should give a different hash every time. Currently it gives the same.
check-password now just compare to string by (equal ), is't safe in lisp?
A Go lang implement use constant time comprarison:
http://golang.org/pkg/crypto/subtle/#ConstantTimeComparea
Hashing takes lots of time sometimes in my tests.
Example:
marian@gimli ~ $ sbcl
This is SBCL 1.3.0.28-004f9d2, an implementation of ANSI Common Lisp.
More information about SBCL is available at <http://www.sbcl.org/>.
SBCL is free software, provided as is, with absolutely no warranty.
It is mostly in the public domain; some portions are provided under
BSD-style licenses. See the CREDITS and COPYING files in the
distribution for more information.
* (ql:quickload :cl-pass)
To load "cl-pass":
Load 1 ASDF system:
cl-pass
; Loading "cl-pass"
....
(:CL-PASS)
* (time (cl-pass:hash "foo"))
Evaluation took:
48.889 seconds of real time
0.314530 seconds of total run time (0.298581 user, 0.015949 system)
[ Run times consist of 0.070 seconds GC time, and 0.245 seconds non-GC time. ]
0.64% CPU
1 form interpreted
359 lambdas converted
117,064,114,257 processor cycles
64,996,992 bytes consed
"PBKDF2$SHA256:20000$72948aab7952a5cf74ff67f2f8f6092b$3a4a65e8bdd344bfd9a797308a3ace2bb788b7535950c03aa70251c73c03ab6c"
Is there a reason to use debug-level 0 in hash
?
As stated in #1 the library contains a timing attack vulnerability. This could be easily solved by using a custom string=
function such as this one:
(defun constant-string= (str1 str2)
(declare (optimize (speed 3) (safety 0)))
(check-type str1 string)
(check-type str2 string)
(loop :with res = (abs (- (length str1) (length str2)))
:for c1 :across str1
:for c2 :across str2
:do (setq res (+ res (boole boole-xor (char-code c1) (char-code c2))))
:finally (return (= res 0))))
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.