Change HMAC compare to use constant_time_compare

HMAC comparison is done using != but should use constant time comparison function. This patch switches to using oslo_utils.secretutils constant_time_compare. It also updates the octavia requirements.txt to have oslo.utils>=3.5.0 as global-requirements has it. Change-Id: Ic06e15d68560ada04707c97aa39434fc7c68ca63 Closes-Bug: #1548546
2016-02-23 00:37:59 +00:00 · 2016-02-23 00:37:59 +00:00 · fb7e8352fd
parent 4b45a10813
commit fb7e8352fd
2 changed files with 3 additions and 2 deletions
--- a/octavia/amphorae/backends/health_daemon/status_message.py
+++ b/octavia/amphorae/backends/health_daemon/status_message.py
@ -19,6 +19,7 @@ import json
 import zlib

 from oslo_log import log as logging
+from oslo_utils import secretutils

 from octavia.common import exceptions
 from octavia.i18n import _LW
@ -56,7 +57,7 @@ def unwrap_envelope(envelope, key):
    payload = envelope[:-hash_len]
    expected_hmc = envelope[-hash_len:]
    calculated_hmc = get_hmac(payload, key)
-    if expected_hmc != calculated_hmc:
+    if not secretutils.constant_time_compare(expected_hmc, calculated_hmc):
        LOG.warn(_LW('calculated hmac: %(s1)s not equal to msg hmac: '
                     '%(s2)s dropping packet'), {'s1': to_hex(calculated_hmc),
                                                 's2': to_hex(expected_hmc)})
--- a/requirements.txt
+++ b/requirements.txt
@ -25,7 +25,7 @@ oslo.reports>=0.6.0 # Apache-2.0
 oslo.rootwrap>=2.0.0 # Apache-2.0
 oslo.serialization>=1.10.0 # Apache-2.0
 oslo.service>=1.0.0 # Apache-2.0
-oslo.utils>=3.4.0 # Apache-2.0
+oslo.utils>=3.5.0 # Apache-2.0
 PyMySQL>=0.6.2 # MIT License
 python-barbicanclient>=3.3.0 # Apache-2.0
 python-novaclient!=2.33.0,>=2.29.0 # Apache-2.0