diff options
| author |  jesopo | 2019-02-12 11:57:49 +0000 |
|---|---|---|
| committer | jesopo | 2019-02-12 11:57:49 +0000 |
| commit | 9667b8a6e08b57db952162c28a7a079068dfdd04 (patch) | |
| tree | d920411734d2d81dee34341fa9ace8a56c67427b | |
| parent | Use `hmac.compare_digest` to do a constant-time compare (sasl.scram) (diff) | |
| signature | ||
Move constant-time compare function to utils.security
| -rw-r--r-- | modules/sasl/scram.py | 3 | ||||
| -rw-r--r-- | src/utils/security.py | 7 |
2 files changed, 8 insertions, 2 deletions
diff --git a/modules/sasl/scram.py b/modules/sasl/scram.py index 463843e4..487a2091 100644 --- a/modules/sasl/scram.py +++ b/modules/sasl/scram.py @@ -1,4 +1,5 @@ import base64, enum, hashlib, hmac, os, typing +from src import utils # IANA Hash Function Textual Names # https://tools.ietf.org/html/rfc5802#section-4 @@ -101,7 +102,7 @@ class SCRAM(object): server_key = self._hmac(self._salted_password, b"Server Key") server_signature = self._hmac(server_key, self._auth_message) - if self._constant_time_compare(server_signature, verifier): + if utils.security.constant_time_compare(server_signature, verifier): self.state = SCRAMState.Success return True else: diff --git a/src/utils/security.py b/src/utils/security.py index 266a767a..1c8f2cf4 100644 --- a/src/utils/security.py +++ b/src/utils/security.py @@ -1,4 +1,4 @@ -import socket, ssl +import hmac, socket, ssl, typing def ssl_context(cert: str=None, key: str=None, verify: bool=True ) -> ssl.SSLContext: @@ -21,3 +21,8 @@ def ssl_wrap(sock: socket.socket, cert: str=None, key: str=None, context = ssl_context(cert=cert, key=key, verify=verify) return context.wrap_socket(sock, server_side=server_side, server_hostname=hostname) + +def constant_time_compare( + a: typing.Union[str, bytes], + b: typing.Union[str, bytes]) -> bool: + return hmac.compare_digest(a, b) |