From 1ea998649058f78f63a167dd697cf5f6732596ff Mon Sep 17 00:00:00 2001
From: Russell Bryant <rbryant@redhat.com>
Date: Tue, 28 Feb 2012 10:55:38 -0500
Subject: Use constant time string comparisons for auth.

Fix bug 942644.

Use constant time string comparisons when doing authentication to help
guard against timing attacks.

Change-Id: Iaaefb13f7618b06834630d9ccb97aff056b4bf4c
---
 nova/api/openstack/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'nova/api')

diff --git a/nova/api/openstack/auth.py b/nova/api/openstack/auth.py
index 544b101d4..18aaf8378 100644
--- a/nova/api/openstack/auth.py
+++ b/nova/api/openstack/auth.py
@@ -242,7 +242,7 @@ class AuthMiddleware(base_wsgi.Middleware):
             LOG.warn(_("User not found with provided API key."))
             user = None
 
-        if user and user.name == username:
+        if user and utils.strcmp_const_time(user.name, username):
             token_hash = hashlib.sha1('%s%s%f' % (username, key,
                 time.time())).hexdigest()
             token_dict = {}
-- 
cgit