Am 16.09.2011 14:40, schrieb Timo Sirainen:
On Fri, 2011-09-16 at 02:47 +0200, Florian Zeitz wrote:
Looks pretty good. Below are a few things I noticed. I could fix these myself next week also, or you can do them during weekend if you want to. :)
I decided to do it myself, hope this fixes all issues.
Could be nicer if client->proof was stored base64-decoded, so its validity could be checked and also later there wouldn't be need to base64-encode signature when testing it.
Doesn't verify_credentials() need to check the credentials in any way that it contains expected (sized) data? Anything is allowed?
I don't think it needs to. The password read from the database can legitimately have any length and from the client it just takes a base64 encoded SHA-1 hash. The correct size of that was previously implicitly checked when comparing the base64 encoded data (strings of different length don't compare equal). It's now explicitly checked after base64 decoding the client proof.