eudoxia0 / cl-pass Goto Github PK
View Code? Open in Web Editor NEWPassword hashing and verification library
cl-pass's People
Contributors
Stargazers
Watchers
cl-pass's Issues
Implementation of Scrypt
Are you planning to implement the Scrypt algorithm or are you aware of any implementations for Common Lisp?
salt export
#'salt is not exported, and as such, the user cannot hash a password with the recommended same length salt as the hash. Please export salt.
Always starting with same salt value.
The random state is not initialized causing the salt value to be the same after every restart.
This ccl -e ' (ql:quickload :cl-pass)' -e '(print (cl-pass:hash "123"))' -e '(quit)' should give a different hash every time. Currently it gives the same.
check-password: Is there a way of doing constant time string comparison?
check-password now just compare to string by (equal ), is't safe in lisp?
A Go lang implement use constant time comprarison:
http://golang.org/pkg/crypto/subtle/#ConstantTimeComparea
Hashing takes lots of time sometimes
Hashing takes lots of time sometimes in my tests.
Example:
marian@gimli ~ $ sbcl
This is SBCL 1.3.0.28-004f9d2, an implementation of ANSI Common Lisp.
More information about SBCL is available at <http://www.sbcl.org/>.
SBCL is free software, provided as is, with absolutely no warranty.
It is mostly in the public domain; some portions are provided under
BSD-style licenses. See the CREDITS and COPYING files in the
distribution for more information.
* (ql:quickload :cl-pass)
To load "cl-pass":
Load 1 ASDF system:
cl-pass
; Loading "cl-pass"
....
(:CL-PASS)
* (time (cl-pass:hash "foo"))
Evaluation took:
48.889 seconds of real time
0.314530 seconds of total run time (0.298581 user, 0.015949 system)
[ Run times consist of 0.070 seconds GC time, and 0.245 seconds non-GC time. ]
0.64% CPU
1 form interpreted
359 lambdas converted
117,064,114,257 processor cycles
64,996,992 bytes consed
"PBKDF2$SHA256:20000$72948aab7952a5cf74ff67f2f8f6092b$3a4a65e8bdd344bfd9a797308a3ace2bb788b7535950c03aa70251c73c03ab6c"
Any reason for (debug 0) in hash?
Is there a reason to use debug-level 0 in hash?
Timing attack vulnerability
As stated in #1 the library contains a timing attack vulnerability. This could be easily solved by using a custom string= function such as this one:
(defun constant-string= (str1 str2)
(declare (optimize (speed 3) (safety 0)))
(check-type str1 string)
(check-type str2 string)
(loop :with res = (abs (- (length str1) (length str2)))
:for c1 :across str1
:for c2 :across str2
:do (setq res (+ res (boole boole-xor (char-code c1) (char-code c2))))
:finally (return (= res 0))))Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.