diff options
author | ChangBo Guo(gcb) <eric.guo@easystack.cn> | 2016-10-17 17:15:11 +0800 |
---|---|---|
committer | ChangBo Guo(gcb) <eric.guo@easystack.cn> | 2016-10-27 03:28:32 +0800 |
commit | a3accb74512b5355a020c876190e3d1a44455b6c (patch) | |
tree | 3d8561561c719f13ea5a64b571936a35d1969743 | |
parent | 80fcdf5954fcfcf1dd22e3b4b7cd489feaafcb9e (diff) | |
download | osprofiler-a3accb74512b5355a020c876190e3d1a44455b6c.tar.gz |
Use method constant_time_compare from oslo.utils
Oslo.utils provides same function constant_time_compare, so just use it.
Change-Id: I790a25c4bc28a2c10ff6fb2a2f356b12df98ca6b
-rw-r--r-- | osprofiler/_utils.py | 29 |
1 files changed, 2 insertions, 27 deletions
diff --git a/osprofiler/_utils.py b/osprofiler/_utils.py index 82e3977..3d5c1cc 100644 --- a/osprofiler/_utils.py +++ b/osprofiler/_utils.py @@ -19,34 +19,9 @@ import hmac import json import os +from oslo_utils import secretutils import six -try: - # Only in python 2.7.7+ (and python 3.3+) - # https://docs.python.org/2/library/hmac.html#hmac.compare_digest - from hmac import compare_digest # noqa -except (AttributeError, ImportError): - # Taken/slightly modified from: - # https://mail.python.org/pipermail/python-checkins/2012-June/114532.html - def compare_digest(a, b): - """Returns the equivalent of 'a == b'. - - This method avoids content based short circuiting to reduce the - vulnerability to timing attacks. - """ - # We assume the length of the expected digest is public knowledge, - # thus this early return isn't leaking anything an attacker wouldn't - # already know - if len(a) != len(b): - return False - - # We assume that integers in the bytes range are all cached, - # thus timing shouldn't vary much due to integer object creation - result = 0 - for x, y in zip(a, b): - result |= ord(x) ^ ord(y) - return result == 0 - def split(text, strip=True): """Splits a comma separated text blob into its components. @@ -131,7 +106,7 @@ def signed_unpack(data, hmac_data, hmac_keys): except Exception: # nosec pass else: - if compare_digest(hmac_data, user_hmac_data): + if secretutils.constant_time_compare(hmac_data, user_hmac_data): try: contents = json.loads( binary_decode(base64.urlsafe_b64decode(data))) |