Re: Avoiding having sensitive strings interned

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Avoiding having sensitive strings interned
From: Coda Highland <chighland@...>
Date: Wed, 7 Nov 2012 11:33:21 -0800

On Wed, Nov 7, 2012 at 11:31 AM, Michael Savage <mikejsavage@gmail.com> wrote:
> On Wed, Nov 07, 2012 at 04:24:11PM -0200, Luiz Henrique de Figueiredo wrote:
>> > I'm working on a web framework for Lua and I want to implement some sort of
>> > functionality that allows passwords to be verified without them ever
>> > actually being used in Lua, so they aren't interned then forever stored in
>> > memory.
>>
>> Store a digest of each password instead of the password itself.
>> Send passwords to Lua as numbers (ie the raw bytes).
>> In Lua convert each byte to a single-char string and update a digest.
>> At the end compare the computed digest with the stored digest.
>> My md5 library supports several digests and supports updates.
>
> I am using bcrypt which doesn't support incremental hashing, however
> automatically hashing marked fields (fields whose name begins with a dot
> etc) is neat and doable, since getting POST values from libevent needs
> some C intervention anyway.
>
> Thanks!
> Mike
>

If you're writing C code you could just use a userdata object wrapped
around a char*.

/s/ Adam

References:
- Avoiding having sensitive strings interned, Michael Savage
- Re: Avoiding having sensitive strings interned, Luiz Henrique de Figueiredo
- Re: Avoiding having sensitive strings interned, Michael Savage

Prev by Date: Re: Avoiding having sensitive strings interned
Next by Date: copy by value implementaion of lua strings
Previous by thread: Re: Avoiding having sensitive strings interned
Next by thread: copy by value implementaion of lua strings
Index(es):
- Date
- Thread