Merge branch 'hmac_compare_digest' of https://github.com/delirious-lettuce/onionshare into delirious-lettuce-hmac_compare_digest

This commit is contained in:
Micah Lee 2017-05-30 14:50:19 -07:00
commit cd5d95a75d
No known key found for this signature in database
GPG key ID: 403C2657CD994F73
2 changed files with 2 additions and 22 deletions

View file

@ -114,26 +114,6 @@ def get_version():
return version
def constant_time_compare(val1, val2):
"""
Returns True if the two strings are equal, False otherwise.
The time taken is independent of the number of characters that match.
For the sake of simplicity, this function executes in constant time only
when the two strings have the same length. It short-circuits when they
have different lengths.
From: http://www.levigross.com/2014/02/07/constant-time-comparison-functions-in...-python-haskell-clojure-and-java/
"""
if len(val1) != len(val2):
return False
result = 0
for x, y in zip(val1, val2):
result |= x ^ y
return result == 0
def random_string(num_bytes, output_len=None):
"""
Returns a random string with a specified number of bytes.

View file

@ -18,7 +18,7 @@ You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
from distutils.version import StrictVersion as Version
import queue, mimetypes, platform, os, sys, socket, logging
import queue, mimetypes, platform, os, sys, socket, logging, hmac
from urllib.request import urlopen
from flask import Flask, Response, request, render_template_string, abort, make_response
@ -162,7 +162,7 @@ def check_slug_candidate(slug_candidate, slug_compare = None):
global slug
if not slug_compare:
slug_compare = slug
if not common.constant_time_compare(slug_compare.encode('ascii'), slug_candidate.encode('ascii')):
if not hmac.compare_digest(slug_compare, slug_candidate):
abort(404)