Skip to content

Commit 12efd78

Browse files
Carl Howellslillialexis
Carl Howells
authored and
lillialexis
committed
Fix timing attack against signature comparison
1 parent ce4630f commit 12efd78

File tree

2 files changed

+11
-1
lines changed

2 files changed

+11
-1
lines changed

openid/association.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -532,7 +532,7 @@ def checkMessageSignature(self, message):
532532
if not message_sig:
533533
raise ValueError("%s has no sig." % (message,))
534534
calculated_sig = self.getMessageSignature(message)
535-
return calculated_sig == message_sig
535+
return cryptutil.const_eq(calculated_sig, message_sig)
536536

537537

538538
def _makePairs(self, message):

openid/cryptutil.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -218,3 +218,13 @@ def randomString(length, chrs=None):
218218
else:
219219
n = len(chrs)
220220
return ''.join([chrs[randrange(n)] for _ in xrange(length)])
221+
222+
def const_eq(s1, s2):
223+
if len(s1) != len(s2):
224+
return False
225+
226+
result = True
227+
for i in range(len(s1)):
228+
result = result and (s1[i] == s2[i])
229+
230+
return result

0 commit comments

Comments
 (0)