s3api: Use constant-time string comparisons in check_signature

Change-Id: Ibe514a7ab22d475517b1efc50de676f47d741a4c (cherry picked from commit 6142ce88cc)
2022-04-13 15:31:52 -07:00 · 2022-04-13 15:31:52 -07:00 · 430bb7f568
parent ffcb1ff001
commit 430bb7f568
2 changed files with 14 additions and 3 deletions
--- a/swift/common/middleware/s3api/s3request.py
+++ b/swift/common/middleware/s3api/s3request.py
@ -26,7 +26,7 @@ from six.moves.urllib.parse import quote, unquote, parse_qsl
 import string

 from swift.common.utils import split_path, json, get_swift_info, \
-    close_if_possible
+    close_if_possible, streq_const_time
 from swift.common import swob
 from swift.common.http import HTTP_OK, HTTP_CREATED, HTTP_ACCEPTED, \
    HTTP_NO_CONTENT, HTTP_UNAUTHORIZED, HTTP_FORBIDDEN, HTTP_NOT_FOUND, \
@ -159,7 +159,7 @@ class SigV4Mixin(object):
                derived_secret, scope_piece.encode('utf8'), sha256).digest()
        valid_signature = hmac.new(
            derived_secret, self.string_to_sign, sha256).hexdigest()
-        return user_signature == valid_signature
+        return streq_const_time(user_signature, valid_signature)

    @property
    def _is_query_auth(self):
@ -565,7 +565,7 @@ class S3Request(swob.Request):
            secret, self.string_to_sign, sha1).digest()).strip()
        if not six.PY2:
            valid_signature = valid_signature.decode('ascii')
-        return user_signature == valid_signature
+        return streq_const_time(user_signature, valid_signature)

    @property
    def timestamp(self):
--- a/test/unit/common/middleware/s3api/test_s3request.py
+++ b/test/unit/common/middleware/s3api/test_s3request.py
@ -780,6 +780,11 @@ class TestRequest(S3ApiTestCase):
        self.assertEqual(expected_sts, sigv2_req._string_to_sign())
        self.assertTrue(sigv2_req.check_signature(secret))

+        with patch('swift.common.middleware.s3api.s3request.streq_const_time',
+                   return_value=True) as mock_eq:
+            self.assertTrue(sigv2_req.check_signature(secret))
+        mock_eq.assert_called_once()
+
    def test_check_signature_sigv2(self):
        self._test_check_signature_sigv2(
            'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY')
@ -819,6 +824,12 @@ class TestRequest(S3ApiTestCase):
        self.assertFalse(sigv4_req.check_signature(
            u'\u30c9\u30e9\u30b4\u30f3'))

+        with patch('swift.common.middleware.s3api.s3request.streq_const_time',
+                   return_value=False) as mock_eq:
+            self.assertFalse(sigv4_req.check_signature(
+                u'\u30c9\u30e9\u30b4\u30f3'))
+        mock_eq.assert_called_once()
+

 class TestHashingInput(S3ApiTestCase):
    def test_good(self):