Permalink
Commits on Nov 9, 2018
Commits on Dec 19, 2017
  1. Add step to build package

    brejoc committed Dec 19, 2017
Commits on Oct 19, 2016
  1. Merge pull request #7 from maciekmm/issue-6

    brejoc committed Oct 19, 2016
    Enable passing domain's name as a parameter
Commits on Aug 2, 2015
  1. Added Makefile to generate RPM and Deb packages

    brejoc committed Aug 2, 2015
    With fpm (https://github.com/jordansissel/fpm) it is easily
    possible to generate packages for various operating systems.
    
    This Makefile includes tasks to generate RPM and Debian packages:
        * make package_deb
        * make package_rpm
Commits on Dec 28, 2014
  1. Merge pull request #5 from mgumz/master

    brejoc committed Dec 28, 2014
    Fix invalid output for golang < go-1.4
Commits on Dec 27, 2014
  1. Fix invalid output for golang < go-1.4

    mgumz committed Dec 27, 2014
    Due to the way golang implemented base64-encoding in versions
    prior to Golang-1.4, gosgp produced incorrect output. Commit
    '89b73528296c1...' cuts down the need for additional buffers
    under the assumption that the base64-Encoder calculates the
    output bits completely before storing anything. This was not
    the case for Golang-1.3.x. It is the case for Golang-1.4 (which
    uses local variables instead of pieces of the destination
    buffer).
    
    Since the algorithm depends on a certain behavior of the
    base64-Encoder which can not be enforced in the standard library
    I decided to reimplement the base64-encoding.
Commits on Dec 13, 2014
  1. Merge pull request #3 from mgumz/master

    brejoc committed Dec 13, 2014
    Sha512, less memory usage, no regexps, etc.
Commits on Dec 11, 2014
  1. Use golang.org/x/crypto/ssh/terminal

    mgumz committed Dec 11, 2014
    Other: minor cleanup
  2. Decrease the size of the working buffer

    mgumz committed Dec 11, 2014
    This commit is essentially the port of an optimization I found for
    [csgp][1]: to generate a password via Md5 we only need a Md5 hasher
    and a working buffer of 24 bytes (base64.StdEncoding.EncodedLen(md5.Size)).
    The 16 bytes for the raw Md5 digest are stored inside the 24 byte buffer
    like this: [24......[16..............]]. This works because:
    
    * The password parts end up directly as in the Md5 hasher (first round)
    * The md5-state is copied over into the 16byte block
    * The 16byte block gets base64-encoded. The b64-encoder chases the
      currently processed byte from the 16byte block but never catches
      up; except for the last round. In that round, any trace of the raw
      md5-state got erased by the base64-version of it:
               +--------+
           [aaaa.......[111.........]]
           [aaaabbbb...[111222......]]
           [aaaabbbbccc[c11222333...]]
    
    * The 24byte buffer is then feed into a md5-state and
      the whole process repeats.
    
    [1]: https://github.com/mgumz/csgp
Commits on Dec 10, 2014
  1. Rewrite replaceLikeSupergenpass()

    mgumz committed Dec 10, 2014
    supergenpass.com takes the output of md5/sha512 and pipes it through
    plain base64. This base64 encoded string gets modified a little bit: '/'
    becomes '8', '+' becomes '9' and the padding '=' becomes 'A'.
    
    The first optimization is to do the char-swapping while base64-encoding:
    
      var sgpBase64 *base64.Encoding
      ...
    
      sgpBase64.Encode(pw, digest)
    
    The 2nd optimization:  the last 2 bytes of either base64(md5(input))
    or base64(sha512(input)) are always "==":
    
      sgpBase64.Encode(pw, digest)
      sgp.FixPadding(pw)
    
    These 2 optimizations are the core of this commit, the rest is just some
    reordering of code.
Commits on Dec 9, 2014
  1. Reduce needed buffers

    mgumz committed Dec 9, 2014
    We actually do not need 2 buffers to rotate the generated passwords around,
    we only need one. This simplifies the code a bit.
Commits on Dec 7, 2014
  1. Use simple code to check password validity instead of RE

    mgumz committed Dec 7, 2014
    Instead of having a (quite complex) regular expression to check 3 things
    in the generated password we use now a simple loop + some if-conditions.
    This also reduces the risk of having traces of the checked passwords
    somewhere in the regular expression code.
    
    Additionally:
    
    * Enforce a minimum password length
    * Fix spelling in error messages
    * Move tests
  2. Add Sha512 variant of supergenpass

    mgumz committed Dec 7, 2014
    This commit provides the Sha512-based variant of supergenpass. It adds
    the -sha flag.
  3. Remove unused code

    mgumz committed Dec 7, 2014
  4. Use new interface 'SGP'

    mgumz committed Dec 7, 2014
    There is no need to create an concatenated buffer of 'password:domain'
    since all we do is to feed the bytes 1:1 through Md5. This changes
    'func hashPassword(out []byte, password []byte)' to
    'func hashPassword(out []byte, pw_parts ...[]byte)' and reduces the
    amount of allocations.
    
    Additionally, we also allocate a new temporary buffer in 'hashPassword'
    on each call, just to throw it away at the end of the function.
    
    'SGP' defines an interface which allows to implement a new method (sha1
    comes to mind, see supergenpass.com). 'SGPMd5' implements 'SGP', reduces
    the amount of allocations
Commits on Dec 2, 2014
  1. Changed email address.

    brejoc committed Dec 2, 2014
  2. Merge pull request #2 from mgumz/master

    brejoc committed Dec 2, 2014
    Little reimplementation of crypt.md5 to avoid leaking bits
Commits on Dec 1, 2014
  1. Added wercker config.

    brejoc committed Dec 1, 2014
Commits on Nov 30, 2014
  1. Switch to NonleakyMd5

    mgumz committed Nov 30, 2014
    Both md5.New().Sum() and md5.Sum() leak information about the
    internal state in one way or the other:
    
    * md5.New().Sum() creates a temporary copy of the hasher (which is
      not accessible after the function returns).
    * md5.Sum() creates a temporary hasher (which is not accessible
      after the function returns).
    * md5.checkSum() uses a temporary buffer (which is not accessible
      accessible afterwards)
    * md5.New().Reset() does not zero digest.x
    
    So, to solve the problem of leaking bits, we switch to a small variant
    of crypt.Md5 called 'NonleakyMd5', see md5.go for implementation
    details. It get's access to the internal fields via 'reflect' and
    cleans the memory properly in .Reset().
  2. Fix typo

    mgumz committed Nov 30, 2014
  3. Merge pull request #1 from mgumz/master

    brejoc committed Nov 30, 2014
    Rewrite with zero used memory and reduced allocations in mind
  4. Add README.md

    mgumz committed Nov 30, 2014
  5. Zero memory after use; Refactor; Add tests

    mgumz committed Nov 30, 2014
    This commit is essentially a rewrite of the code Jochen posted
    2014-10-24 with the request for feedback. So, although this commit
    looks massive it grow over time.
    
    The main motivation for the rewrite was to not keep sensible information
    in RAM longer than needed. Since every Golang-Runtime might handle cleanup of the
    used RAM differently (if any memory cleanup takes place at all before the
    program exists), I decided to zero the used RAM myself. I checked the RAM
    afterwards with a generated Heap Dump (see [1]) as well as with gdb to see if any
    occurances of sensible information was left: I found none.
    
    Attention: this is (obviously) not a proof of absense!
    
    The original code created a lot of copies of sensitive information due the
    use of strings.Replace(), md5.New().Sum(), returned strings etc. This made the
    code much much shorted but spreaded pieces of information all over the place.
    In addition, some of the used functions of the Golang-Stdlib behave very subtle
    in regards to memory (md5.New().Sum() vs md5.Sum()).
    
    On Unix gosgp now uses syscall.Mlockall() in order to prevent gosgp to be
    swapped out to disk. This is not implemented on Microsoft Windows (yet).
    
    Other changes:
    
    * Improved UI: added -length and -domain flags
    * Add tests
    * Fix typos in the license comment
    
    [1]: https://code.google.com/p/go-wiki/wiki/heapdump13
  6. Added gosgp source file.

    brejoc committed Nov 30, 2014
  7. Initial commit

    brejoc committed Nov 30, 2014