[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Avoiding having sensitive strings interned
- From: Coda Highland <chighland@...>
- Date: Wed, 7 Nov 2012 11:33:21 -0800
On Wed, Nov 7, 2012 at 11:31 AM, Michael Savage <mikejsavage@gmail.com> wrote:
> On Wed, Nov 07, 2012 at 04:24:11PM -0200, Luiz Henrique de Figueiredo wrote:
>> > I'm working on a web framework for Lua and I want to implement some sort of
>> > functionality that allows passwords to be verified without them ever
>> > actually being used in Lua, so they aren't interned then forever stored in
>> > memory.
>>
>> Store a digest of each password instead of the password itself.
>> Send passwords to Lua as numbers (ie the raw bytes).
>> In Lua convert each byte to a single-char string and update a digest.
>> At the end compare the computed digest with the stored digest.
>> My md5 library supports several digests and supports updates.
>
> I am using bcrypt which doesn't support incremental hashing, however
> automatically hashing marked fields (fields whose name begins with a dot
> etc) is neat and doable, since getting POST values from libevent needs
> some C intervention anyway.
>
> Thanks!
> Mike
>
If you're writing C code you could just use a userdata object wrapped
around a char*.
/s/ Adam