From 6f6b6972036adc5d1937fbb4f63c0b279d630cb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vlastimil=20Z=C3=ADma?= Date: Fri, 11 May 2018 13:54:14 +0200 Subject: Use cryptography for signature comparison --- openid/association.py | 3 ++- openid/cryptutil.py | 11 ----------- setup.py | 1 + 3 files changed, 3 insertions(+), 12 deletions(-) diff --git a/openid/association.py b/openid/association.py index de607f4..ca063bd 100644 --- a/openid/association.py +++ b/openid/association.py @@ -28,6 +28,7 @@ from __future__ import unicode_literals import time import six +from cryptography.hazmat.primitives.constant_time import bytes_eq from openid import cryptutil, kvform, oidutil from openid.message import OPENID_NS @@ -513,7 +514,7 @@ class Association(object): if not message_sig: raise ValueError("%s has no sig." % (message,)) calculated_sig = self.getMessageSignature(message) - return cryptutil.const_eq(calculated_sig, message_sig) + return bytes_eq(calculated_sig.encode('utf-8'), message_sig.encode('utf-8')) def _makePairs(self, message): signed = message.getArg(OPENID_NS, 'signed') diff --git a/openid/cryptutil.py b/openid/cryptutil.py index 3fddee6..86c3e86 100644 --- a/openid/cryptutil.py +++ b/openid/cryptutil.py @@ -182,14 +182,3 @@ def longToBase64(l): def base64ToLong(s): return binaryToLong(fromBase64(s)) - - -def const_eq(s1, s2): - if len(s1) != len(s2): - return False - - result = True - for i in range(len(s1)): - result = result and (s1[i] == s2[i]) - - return result diff --git a/setup.py b/setup.py index a230b66..52bca80 100644 --- a/setup.py +++ b/setup.py @@ -13,6 +13,7 @@ if 'sdist' in sys.argv: VERSION = __import__('openid').__version__ INSTALL_REQUIRES = [ 'six', + 'cryptography', 'lxml;platform_python_implementation=="CPython"', 'lxml <4.0;platform_python_implementation=="PyPy"', ] -- cgit v1.2.1