GNU bug report logs - #37196
27.0.50; auth-source no longer obfuscates passwords

Previous Next

Package: emacs;

Reported by: Lars Ingebrigtsen <larsi <at> gnus.org>

Date: Tue, 27 Aug 2019 10:30:02 UTC

Severity: normal

Tags: fixed, security

Found in version 27.0.50

Fixed in version 27.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #13 received at 37196 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: 37196 <at> debbugs.gnu.org
Subject: Re: bug#37196: 27.0.50; auth-source no longer obfuscates passwords
Date: Fri, 20 Sep 2019 22:13:11 +0200

Lars Ingebrigtsen <larsi <at> gnus.org> writes:

> Hm.  Now that I typed that, it strikes me that this should be rather
> trivial to do with gnutls-symmetric-encrypt on systems where that is
> available.  I'll give it a go...

Fortunately I remembered that I had already written all this symmetric
encryption stuff in a separate project, so I just cut and paste a bit.

(I mean, the encryption primitives are already in Emacs, but actually
using them requires a bit of typing...)

(auth-source-search :max 1 :host "foo.bar")
=> ((:host "foo.bar" :user "zot" :secret #[0 "..." ["Ng==-26GRPWrYlJnQAE+8gaEDcg==-DThpcRwaAi5ZBXQZC0rC3g==" (nil) auth-source--deobfuscate] 3]))

There.  That's better.  It does leak that the password is 6 characters
long, though, but that's a lot less leaky than ... it was before.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
This bug report was last modified 5 years and 244 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.