diff options
author | Jeff Forcier <jeff@bitprophet.org> | 2014-02-14 11:52:00 -0800 |
---|---|---|
committer | Jeff Forcier <jeff@bitprophet.org> | 2014-02-14 11:52:00 -0800 |
commit | 9d7aeff7b19aabacecdb42d86af15bdb45e01e20 (patch) | |
tree | ddb26023ad9f4ef7dfb4cbd2919193ed05bb1532 /paramiko/packet.py | |
parent | 457a34f55b1d69c3f7699b3bc055f6c6d90371cd (diff) | |
download | paramiko-9d7aeff7b19aabacecdb42d86af15bdb45e01e20.tar.gz |
Use constant time hash comparisons for improved security.
See e.g. http://codahale.com/a-lesson-in-timing-attacks/
Mega thanks to Alex Gaynor for the original patch.
Diffstat (limited to 'paramiko/packet.py')
-rw-r--r-- | paramiko/packet.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/paramiko/packet.py b/paramiko/packet.py index 3f85d668..dce4383a 100644 --- a/paramiko/packet.py +++ b/paramiko/packet.py @@ -358,7 +358,7 @@ class Packetizer (object): mac = post_packet[:self.__mac_size_in] mac_payload = struct.pack('>II', self.__sequence_number_in, packet_size) + packet my_mac = compute_hmac(self.__mac_key_in, mac_payload, self.__mac_engine_in)[:self.__mac_size_in] - if my_mac != mac: + if not util.constant_time_bytes_eq(my_mac, mac): raise SSHException('Mismatched MAC') padding = ord(packet[0]) payload = packet[1:packet_size - padding] |