Use constant time hash comparisons for improved security.

See e.g. http://codahale.com/a-lesson-in-timing-attacks/ Mega thanks to Alex Gaynor for the original patch.
author: Jeff Forcier <jeff@bitprophet.org> 2014-02-14 11:52:00 -0800
committer: Jeff Forcier <jeff@bitprophet.org> 2014-02-14 11:52:00 -0800
commit: 9d7aeff7b19aabacecdb42d86af15bdb45e01e20 (patch)
tree: ddb26023ad9f4ef7dfb4cbd2919193ed05bb1532 /paramiko/packet.py
parent: 457a34f55b1d69c3f7699b3bc055f6c6d90371cd (diff)
download: paramiko-9d7aeff7b19aabacecdb42d86af15bdb45e01e20.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/paramiko/packet.py b/paramiko/packet.py
index 3f85d668..dce4383a 100644
--- a/paramiko/packet.py
+++ b/paramiko/packet.py
@@ -358,7 +358,7 @@ class Packetizer (object):
             mac = post_packet[:self.__mac_size_in]
             mac_payload = struct.pack('>II', self.__sequence_number_in, packet_size) + packet
             my_mac = compute_hmac(self.__mac_key_in, mac_payload, self.__mac_engine_in)[:self.__mac_size_in]
-            if my_mac != mac:
+            if not util.constant_time_bytes_eq(my_mac, mac):
                 raise SSHException('Mismatched MAC')
         padding = ord(packet[0])
         payload = packet[1:packet_size - padding]
author	Jeff Forcier <jeff@bitprophet.org>	2014-02-14 11:52:00 -0800
committer	Jeff Forcier <jeff@bitprophet.org>	2014-02-14 11:52:00 -0800
commit	9d7aeff7b19aabacecdb42d86af15bdb45e01e20 (patch)
tree	ddb26023ad9f4ef7dfb4cbd2919193ed05bb1532 /paramiko/packet.py
parent	457a34f55b1d69c3f7699b3bc055f6c6d90371cd (diff)
download	paramiko-9d7aeff7b19aabacecdb42d86af15bdb45e01e20.tar.gz