Add auth_str_equal() to common utils.

This function provides a constant-time string comparison.  Its primary
use case is for authentication to avoid timing vulnerabilities.  Similar
functions currently exist in keystone, nova, and swift.  The three
diverged in slight ways immediately after going in.  This version comes
from keystone, which I consider the "best" version to promote to
openstack-common.

Change-Id: I39537a21be8a402e34e526466f6b90188344a35d

1 files changed, 24 insertions, 0 deletions

diff --git a/openstack/common/utils.py b/openstack/common/utils.py
index 3a0e6c6..8cc400a 100644
--- a/openstack/common/utils.py
+++ b/openstack/common/utils.py
@@ -207,3 +207,27 @@ def set_time_override(override_time=datetime.datetime.utcnow()):
 def clear_time_override():
     """Remove the overridden time."""
     utcnow.override_time = None
+
+
+def auth_str_equal(provided, known):
+    """Constant-time string comparison.
+
+    :params provided: the first string
+    :params known: the second string
+
+    :return: True if the strings are equal.
+
+    This function takes two strings and compares them.  It is intended to be
+    used when doing a comparison for authentication purposes to help guard
+    against timing attacks.  When using the function for this purpose, always
+    provide the user-provided password as the first argument.  The time this
+    function will take is always a factor of the length of this string.
+    """
+    result = 0
+    p_len = len(provided)
+    k_len = len(known)
+    for i in xrange(p_len):
+        a = ord(provided[i]) if i < p_len else 0
+        b = ord(known[i]) if i < k_len else 0
+        result |= a ^ b
+    return (p_len == k_len) & (result == 0)