x/python-ganttclient
Code Issues Proposed changes

Use constant time string comparisons for auth.

Browse Source 
Fix bug 942644.

Use constant time string comparisons when doing authentication to help
guard against timing attacks.

Change-Id: Iaaefb13f7618b06834630d9ccb97aff056b4bf4c
This commit is contained in:
Russell Bryant
2012-02-28 10:55:38 -05:00
parent caff14bb65
commit 5be6fe5619
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
nova/auth/manager.py
View File

@@ -328,7 +328,7 @@ class AuthManager(object):
LOG.debug(_('user.secret: %s'), user.secret) LOG.debug(_('user.secret: %s'), user.secret)
LOG.debug(_('expected_signature: %s'), expected_signature) LOG.debug(_('expected_signature: %s'), expected_signature)
LOG.debug(_('signature: %s'), signature) LOG.debug(_('signature: %s'), signature)
if signature != expected_signature: if not utils.strcmp_const_time(signature, expected_signature):
LOG.audit(_("Invalid signature for user %s"), user.name) LOG.audit(_("Invalid signature for user %s"), user.name)
raise exception.InvalidSignature(signature=signature, raise exception.InvalidSignature(signature=signature,
user=user) user=user)
@@ -340,7 +340,7 @@ class AuthManager(object):
LOG.debug(_('user.secret: %s'), user.secret) LOG.debug(_('user.secret: %s'), user.secret)
LOG.debug(_('expected_signature: %s'), expected_signature) LOG.debug(_('expected_signature: %s'), expected_signature)
LOG.debug(_('signature: %s'), signature) LOG.debug(_('signature: %s'), signature)
if signature != expected_signature: if not utils.strcmp_const_time(signature, expected_signature):
(addr_str, port_str) = utils.parse_server_string(server_string) (addr_str, port_str) = utils.parse_server_string(server_string)
# If the given server_string contains port num, try without it. # If the given server_string contains port num, try without it.
if port_str != '': if port_str != '':
@@ -349,7 +349,7 @@ class AuthManager(object):
addr_str, path) addr_str, path)
LOG.debug(_('host_only_signature: %s'), LOG.debug(_('host_only_signature: %s'),
host_only_signature) host_only_signature)
if signature == host_only_signature: if utils.strcmp_const_time(signature, host_only_signature):
return (user, project) return (user, project)
LOG.audit(_("Invalid signature for user %s"), user.name) LOG.audit(_("Invalid signature for user %s"), user.name)
raise exception.InvalidSignature(signature=signature, raise exception.InvalidSignature(signature=signature,