Change HMAC compare to use constant_time_compare
HMAC comparison is done using != but should use constant time comparison function. This patch switches to using oslo_utils.secretutils constant_time_compare. It also updates the octavia requirements.txt to have oslo.utils>=3.5.0 as global-requirements has it. Change-Id: Ic06e15d68560ada04707c97aa39434fc7c68ca63 Closes-Bug: #1548546
This commit is contained in:
parent
4b45a10813
commit
fb7e8352fd
|
@ -19,6 +19,7 @@ import json
|
|||
import zlib
|
||||
|
||||
from oslo_log import log as logging
|
||||
from oslo_utils import secretutils
|
||||
|
||||
from octavia.common import exceptions
|
||||
from octavia.i18n import _LW
|
||||
|
@ -56,7 +57,7 @@ def unwrap_envelope(envelope, key):
|
|||
payload = envelope[:-hash_len]
|
||||
expected_hmc = envelope[-hash_len:]
|
||||
calculated_hmc = get_hmac(payload, key)
|
||||
if expected_hmc != calculated_hmc:
|
||||
if not secretutils.constant_time_compare(expected_hmc, calculated_hmc):
|
||||
LOG.warn(_LW('calculated hmac: %(s1)s not equal to msg hmac: '
|
||||
'%(s2)s dropping packet'), {'s1': to_hex(calculated_hmc),
|
||||
's2': to_hex(expected_hmc)})
|
||||
|
|
|
@ -25,7 +25,7 @@ oslo.reports>=0.6.0 # Apache-2.0
|
|||
oslo.rootwrap>=2.0.0 # Apache-2.0
|
||||
oslo.serialization>=1.10.0 # Apache-2.0
|
||||
oslo.service>=1.0.0 # Apache-2.0
|
||||
oslo.utils>=3.4.0 # Apache-2.0
|
||||
oslo.utils>=3.5.0 # Apache-2.0
|
||||
PyMySQL>=0.6.2 # MIT License
|
||||
python-barbicanclient>=3.3.0 # Apache-2.0
|
||||
python-novaclient!=2.33.0,>=2.29.0 # Apache-2.0
|
||||
|
|
Loading…
Reference in New Issue