Skip to content
This repository has been archived by the owner on Jan 10, 2021. It is now read-only.

CodeReview #26

Closed
Glusk opened this issue Feb 14, 2018 · 1 comment
Closed

CodeReview #26

Glusk opened this issue Feb 14, 2018 · 1 comment

Comments

@Glusk
Copy link
Owner

Glusk commented Feb 14, 2018
edited
Loading

https://github.com/Glusk2/wse/blob/71028ef255745912b082a144ce9027a610c67152/wse-common/src/main/java/com/github/glusk2/wse/common/crypto/srp6/SRP6HashedSesKey.java#L29

Signature should be redefined to return a byte array.

Classes:

should be renamed in order to avoid confusion regarding the session key. What is now called a session key is more often referred to as <premaster secret> (RFC5054: Appendix B. SRP Test Vectors) or secret (BouncyCastle). In order to obtain a more secure session key, the secret is typically hashed in some way.

Is this (InMemoryRecord) class really needed?

MySqlRecord doesn't handle unknown users properly - RFC5054: 2.5.1.3. Unknown SRP User Name. In order to fix this, the following is needed:

  • HMAC SHA-1 implementation,
  • FakeRecord implementation.
Glusk added a commit that referenced this issue Mar 27, 2018
@Glusk
#26 Changed method signature.
29c0e53
Glusk added a commit that referenced this issue Mar 27, 2018
@Glusk
#26 Renaming - distinction between a "Secret" and a "Session Key".
07d418b
@Glusk
Copy link
Owner Author

Glusk commented Mar 27, 2018

InMemoryRecord and MySqlRecord related problems can be resolved separately, each in it's own issue.

This was referenced Mar 27, 2018
Closed
Closed
Merged
@Glusk Glusk closed this as completed in #29 Mar 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Glusk