Use constant time string comparisons for auth.

Fix bug 942644. Use constant time string comparisons when doing authentication to help guard against timing attacks. Change-Id: Iaaefb13f7618b06834630d9ccb97aff056b4bf4c
author: Russell Bryant <rbryant@redhat.com> 2012-02-28 10:55:38 -0500
committer: Russell Bryant <rbryant@redhat.com> 2012-02-28 14:56:44 -0500
commit: 1ea998649058f78f63a167dd697cf5f6732596ff (patch)
tree: 83c7192fbf7cda3efc1442ae46a88c2c6dbfda45 /nova/api
parent: f9d23c69e25a2ce5e8c3a37d1e771d02c43cbfb5 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/nova/api/openstack/auth.py b/nova/api/openstack/auth.py
index 544b101d4..18aaf8378 100644
--- a/nova/api/openstack/auth.py
+++ b/nova/api/openstack/auth.py
@@ -242,7 +242,7 @@ class AuthMiddleware(base_wsgi.Middleware):
             LOG.warn(_("User not found with provided API key."))
             user = None
 
-        if user and user.name == username:
+        if user and utils.strcmp_const_time(user.name, username):
             token_hash = hashlib.sha1('%s%s%f' % (username, key,
                 time.time())).hexdigest()
             token_dict = {}
author	Russell Bryant <rbryant@redhat.com>	2012-02-28 10:55:38 -0500
committer	Russell Bryant <rbryant@redhat.com>	2012-02-28 14:56:44 -0500
commit	1ea998649058f78f63a167dd697cf5f6732596ff (patch)
tree	83c7192fbf7cda3efc1442ae46a88c2c6dbfda45 /nova/api
parent	f9d23c69e25a2ce5e8c3a37d1e771d02c43cbfb5 (diff)