|
|
ae2451 |
|
|
|
ae2451 |
# HG changeset patch
|
|
|
ae2451 |
# User Benjamin Peterson <benjamin@python.org>
|
|
|
ae2451 |
# Date 1399849904 25200
|
|
|
ae2451 |
# Node ID b40f1a00b13460cc089450028280c4e52dd24a64
|
|
|
ae2451 |
# Parent 951775c68b1b7782750c213b0fce1f61d46b2f51
|
|
|
ae2451 |
backport hmac.compare_digest to partially implement PEP 466 (closes #21306)
|
|
|
ae2451 |
|
|
|
ae2451 |
Backport from Alex Gaynor.
|
|
|
ae2451 |
|
|
|
ae2451 |
diff --git a/Doc/library/hmac.rst b/Doc/library/hmac.rst
|
|
|
ae2451 |
--- a/Doc/library/hmac.rst
|
|
|
ae2451 |
+++ b/Doc/library/hmac.rst
|
|
|
ae2451 |
@@ -38,6 +38,13 @@ An HMAC object has the following methods
|
|
|
ae2451 |
This string will be the same length as the *digest_size* of the digest given to
|
|
|
ae2451 |
the constructor. It may contain non-ASCII characters, including NUL bytes.
|
|
|
ae2451 |
|
|
|
ae2451 |
+ .. warning::
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ When comparing the output of :meth:`digest` to an externally-supplied
|
|
|
ae2451 |
+ digest during a verification routine, it is recommended to use the
|
|
|
ae2451 |
+ :func:`compare_digest` function instead of the ``==`` operator
|
|
|
ae2451 |
+ to reduce the vulnerability to timing attacks.
|
|
|
ae2451 |
+
|
|
|
ae2451 |
|
|
|
ae2451 |
.. method:: HMAC.hexdigest()
|
|
|
ae2451 |
|
|
|
ae2451 |
@@ -45,6 +52,13 @@ An HMAC object has the following methods
|
|
|
ae2451 |
containing only hexadecimal digits. This may be used to exchange the value
|
|
|
ae2451 |
safely in email or other non-binary environments.
|
|
|
ae2451 |
|
|
|
ae2451 |
+ .. warning::
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ When comparing the output of :meth:`hexdigest` to an externally-supplied
|
|
|
ae2451 |
+ digest during a verification routine, it is recommended to use the
|
|
|
ae2451 |
+ :func:`compare_digest` function instead of the ``==`` operator
|
|
|
ae2451 |
+ to reduce the vulnerability to timing attacks.
|
|
|
ae2451 |
+
|
|
|
ae2451 |
|
|
|
ae2451 |
.. method:: HMAC.copy()
|
|
|
ae2451 |
|
|
|
ae2451 |
@@ -52,6 +66,25 @@ An HMAC object has the following methods
|
|
|
ae2451 |
compute the digests of strings that share a common initial substring.
|
|
|
ae2451 |
|
|
|
ae2451 |
|
|
|
ae2451 |
+This module also provides the following helper function:
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+.. function:: compare_digest(a, b)
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ Return ``a == b``. This function uses an approach designed to prevent
|
|
|
ae2451 |
+ timing analysis by avoiding content-based short circuiting behaviour,
|
|
|
ae2451 |
+ making it appropriate for cryptography. *a* and *b* must both be of the
|
|
|
ae2451 |
+ same type: either :class:`unicode` or a :term:`bytes-like object`.
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ .. note::
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ If *a* and *b* are of different lengths, or if an error occurs,
|
|
|
ae2451 |
+ a timing attack could theoretically reveal information about the
|
|
|
ae2451 |
+ types and lengths of *a* and *b*--but not their values.
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ .. versionadded:: 2.7.7
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+
|
|
|
ae2451 |
.. seealso::
|
|
|
ae2451 |
|
|
|
ae2451 |
Module :mod:`hashlib`
|
|
|
ae2451 |
diff --git a/Lib/hmac.py b/Lib/hmac.py
|
|
|
ae2451 |
--- a/Lib/hmac.py
|
|
|
ae2451 |
+++ b/Lib/hmac.py
|
|
|
ae2451 |
@@ -5,6 +5,9 @@ Implements the HMAC algorithm as describ
|
|
|
ae2451 |
|
|
|
ae2451 |
import warnings as _warnings
|
|
|
ae2451 |
|
|
|
ae2451 |
+from operator import _compare_digest as compare_digest
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+
|
|
|
ae2451 |
trans_5C = "".join ([chr (x ^ 0x5C) for x in xrange(256)])
|
|
|
ae2451 |
trans_36 = "".join ([chr (x ^ 0x36) for x in xrange(256)])
|
|
|
ae2451 |
|
|
|
ae2451 |
diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
|
|
|
ae2451 |
--- a/Lib/test/test_hmac.py
|
|
|
ae2451 |
+++ b/Lib/test/test_hmac.py
|
|
|
ae2451 |
@@ -302,12 +302,122 @@ class CopyTestCase(unittest.TestCase):
|
|
|
ae2451 |
self.assertTrue(h1.hexdigest() == h2.hexdigest(),
|
|
|
ae2451 |
"Hexdigest of copy doesn't match original hexdigest.")
|
|
|
ae2451 |
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+class CompareDigestTestCase(unittest.TestCase):
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ def test_compare_digest(self):
|
|
|
ae2451 |
+ # Testing input type exception handling
|
|
|
ae2451 |
+ a, b = 100, 200
|
|
|
ae2451 |
+ self.assertRaises(TypeError, hmac.compare_digest, a, b)
|
|
|
ae2451 |
+ a, b = 100, b"foobar"
|
|
|
ae2451 |
+ self.assertRaises(TypeError, hmac.compare_digest, a, b)
|
|
|
ae2451 |
+ a, b = b"foobar", 200
|
|
|
ae2451 |
+ self.assertRaises(TypeError, hmac.compare_digest, a, b)
|
|
|
ae2451 |
+ a, b = u"foobar", b"foobar"
|
|
|
ae2451 |
+ self.assertRaises(TypeError, hmac.compare_digest, a, b)
|
|
|
ae2451 |
+ a, b = b"foobar", u"foobar"
|
|
|
ae2451 |
+ self.assertRaises(TypeError, hmac.compare_digest, a, b)
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing bytes of different lengths
|
|
|
ae2451 |
+ a, b = b"foobar", b"foo"
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+ a, b = b"\xde\xad\xbe\xef", b"\xde\xad"
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing bytes of same lengths, different values
|
|
|
ae2451 |
+ a, b = b"foobar", b"foobaz"
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+ a, b = b"\xde\xad\xbe\xef", b"\xab\xad\x1d\xea"
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing bytes of same lengths, same values
|
|
|
ae2451 |
+ a, b = b"foobar", b"foobar"
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+ a, b = b"\xde\xad\xbe\xef", b"\xde\xad\xbe\xef"
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing bytearrays of same lengths, same values
|
|
|
ae2451 |
+ a, b = bytearray(b"foobar"), bytearray(b"foobar")
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing bytearrays of diffeent lengths
|
|
|
ae2451 |
+ a, b = bytearray(b"foobar"), bytearray(b"foo")
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing bytearrays of same lengths, different values
|
|
|
ae2451 |
+ a, b = bytearray(b"foobar"), bytearray(b"foobaz")
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing byte and bytearray of same lengths, same values
|
|
|
ae2451 |
+ a, b = bytearray(b"foobar"), b"foobar"
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(b, a))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing byte bytearray of diffeent lengths
|
|
|
ae2451 |
+ a, b = bytearray(b"foobar"), b"foo"
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(b, a))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing byte and bytearray of same lengths, different values
|
|
|
ae2451 |
+ a, b = bytearray(b"foobar"), b"foobaz"
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(b, a))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing str of same lengths
|
|
|
ae2451 |
+ a, b = "foobar", "foobar"
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing str of diffeent lengths
|
|
|
ae2451 |
+ a, b = "foo", "foobar"
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing bytes of same lengths, different values
|
|
|
ae2451 |
+ a, b = "foobar", "foobaz"
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # Testing error cases
|
|
|
ae2451 |
+ a, b = u"foobar", b"foobar"
|
|
|
ae2451 |
+ self.assertRaises(TypeError, hmac.compare_digest, a, b)
|
|
|
ae2451 |
+ a, b = b"foobar", u"foobar"
|
|
|
ae2451 |
+ self.assertRaises(TypeError, hmac.compare_digest, a, b)
|
|
|
ae2451 |
+ a, b = b"foobar", 1
|
|
|
ae2451 |
+ self.assertRaises(TypeError, hmac.compare_digest, a, b)
|
|
|
ae2451 |
+ a, b = 100, 200
|
|
|
ae2451 |
+ self.assertRaises(TypeError, hmac.compare_digest, a, b)
|
|
|
ae2451 |
+ a, b = "fooä", "fooä"
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # subclasses are supported by ignore __eq__
|
|
|
ae2451 |
+ class mystr(str):
|
|
|
ae2451 |
+ def __eq__(self, other):
|
|
|
ae2451 |
+ return False
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ a, b = mystr("foobar"), mystr("foobar")
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+ a, b = mystr("foobar"), "foobar"
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+ a, b = mystr("foobar"), mystr("foobaz")
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ class mybytes(bytes):
|
|
|
ae2451 |
+ def __eq__(self, other):
|
|
|
ae2451 |
+ return False
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ a, b = mybytes(b"foobar"), mybytes(b"foobar")
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+ a, b = mybytes(b"foobar"), b"foobar"
|
|
|
ae2451 |
+ self.assertTrue(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+ a, b = mybytes(b"foobar"), mybytes(b"foobaz")
|
|
|
ae2451 |
+ self.assertFalse(hmac.compare_digest(a, b))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+
|
|
|
ae2451 |
def test_main():
|
|
|
ae2451 |
test_support.run_unittest(
|
|
|
ae2451 |
TestVectorsTestCase,
|
|
|
ae2451 |
ConstructorTestCase,
|
|
|
ae2451 |
SanityTestCase,
|
|
|
ae2451 |
- CopyTestCase
|
|
|
ae2451 |
+ CopyTestCase,
|
|
|
ae2451 |
+ CompareDigestTestCase,
|
|
|
ae2451 |
)
|
|
|
ae2451 |
|
|
|
ae2451 |
if __name__ == "__main__":
|
|
|
ae2451 |
diff --git a/Modules/operator.c b/Modules/operator.c
|
|
|
ae2451 |
--- a/Modules/operator.c
|
|
|
ae2451 |
+++ b/Modules/operator.c
|
|
|
ae2451 |
@@ -235,6 +235,132 @@ op_delslice(PyObject *s, PyObject *a)
|
|
|
ae2451 |
#define spam2o(OP,ALTOP,DOC) {#OP, op_##OP, METH_O, PyDoc_STR(DOC)}, \
|
|
|
ae2451 |
{#ALTOP, op_##OP, METH_O, PyDoc_STR(DOC)},
|
|
|
ae2451 |
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+/* compare_digest **********************************************************/
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+/*
|
|
|
ae2451 |
+ * timing safe compare
|
|
|
ae2451 |
+ *
|
|
|
ae2451 |
+ * Returns 1 of the strings are equal.
|
|
|
ae2451 |
+ * In case of len(a) != len(b) the function tries to keep the timing
|
|
|
ae2451 |
+ * dependent on the length of b. CPU cache locally may still alter timing
|
|
|
ae2451 |
+ * a bit.
|
|
|
ae2451 |
+ */
|
|
|
ae2451 |
+static int
|
|
|
ae2451 |
+_tscmp(const unsigned char *a, const unsigned char *b,
|
|
|
ae2451 |
+ Py_ssize_t len_a, Py_ssize_t len_b)
|
|
|
ae2451 |
+{
|
|
|
ae2451 |
+ /* The volatile type declarations make sure that the compiler has no
|
|
|
ae2451 |
+ * chance to optimize and fold the code in any way that may change
|
|
|
ae2451 |
+ * the timing.
|
|
|
ae2451 |
+ */
|
|
|
ae2451 |
+ volatile Py_ssize_t length;
|
|
|
ae2451 |
+ volatile const unsigned char *left;
|
|
|
ae2451 |
+ volatile const unsigned char *right;
|
|
|
ae2451 |
+ Py_ssize_t i;
|
|
|
ae2451 |
+ unsigned char result;
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ /* loop count depends on length of b */
|
|
|
ae2451 |
+ length = len_b;
|
|
|
ae2451 |
+ left = NULL;
|
|
|
ae2451 |
+ right = b;
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ /* don't use else here to keep the amount of CPU instructions constant,
|
|
|
ae2451 |
+ * volatile forces re-evaluation
|
|
|
ae2451 |
+ * */
|
|
|
ae2451 |
+ if (len_a == length) {
|
|
|
ae2451 |
+ left = *((volatile const unsigned char**)&a);
|
|
|
ae2451 |
+ result = 0;
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+ if (len_a != length) {
|
|
|
ae2451 |
+ left = b;
|
|
|
ae2451 |
+ result = 1;
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ for (i=0; i < length; i++) {
|
|
|
ae2451 |
+ result |= *left++ ^ *right++;
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ return (result == 0);
|
|
|
ae2451 |
+}
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+PyDoc_STRVAR(compare_digest__doc__,
|
|
|
ae2451 |
+"compare_digest(a, b) -> bool\n"
|
|
|
ae2451 |
+"\n"
|
|
|
ae2451 |
+"Return 'a == b'. This function uses an approach designed to prevent\n"
|
|
|
ae2451 |
+"timing analysis, making it appropriate for cryptography.\n"
|
|
|
ae2451 |
+"a and b must both be of the same type: either str (ASCII only),\n"
|
|
|
ae2451 |
+"or any type that supports the buffer protocol (e.g. bytes).\n"
|
|
|
ae2451 |
+"\n"
|
|
|
ae2451 |
+"Note: If a and b are of different lengths, or if an error occurs,\n"
|
|
|
ae2451 |
+"a timing attack could theoretically reveal information about the\n"
|
|
|
ae2451 |
+"types and lengths of a and b--but not their values.\n");
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+static PyObject*
|
|
|
ae2451 |
+compare_digest(PyObject *self, PyObject *args)
|
|
|
ae2451 |
+{
|
|
|
ae2451 |
+ PyObject *a, *b;
|
|
|
ae2451 |
+ int rc;
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ if (!PyArg_ParseTuple(args, "OO:compare_digest", &a, &b)) {
|
|
|
ae2451 |
+ return NULL;
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ /* Unicode string */
|
|
|
ae2451 |
+ if (PyUnicode_Check(a) && PyUnicode_Check(b)) {
|
|
|
ae2451 |
+ rc = _tscmp(PyUnicode_AS_DATA(a),
|
|
|
ae2451 |
+ PyUnicode_AS_DATA(b),
|
|
|
ae2451 |
+ PyUnicode_GET_DATA_SIZE(a),
|
|
|
ae2451 |
+ PyUnicode_GET_DATA_SIZE(b));
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+ /* fallback to buffer interface for bytes, bytesarray and other */
|
|
|
ae2451 |
+ else {
|
|
|
ae2451 |
+ Py_buffer view_a;
|
|
|
ae2451 |
+ Py_buffer view_b;
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ if ((PyObject_CheckBuffer(a) == 0) & (PyObject_CheckBuffer(b) == 0)) {
|
|
|
ae2451 |
+ PyErr_Format(PyExc_TypeError,
|
|
|
ae2451 |
+ "unsupported operand types(s) or combination of types: "
|
|
|
ae2451 |
+ "'%.100s' and '%.100s'",
|
|
|
ae2451 |
+ Py_TYPE(a)->tp_name, Py_TYPE(b)->tp_name);
|
|
|
ae2451 |
+ return NULL;
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ if (PyObject_GetBuffer(a, &view_a, PyBUF_SIMPLE) == -1) {
|
|
|
ae2451 |
+ return NULL;
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+ if (view_a.ndim > 1) {
|
|
|
ae2451 |
+ PyErr_SetString(PyExc_BufferError,
|
|
|
ae2451 |
+ "Buffer must be single dimension");
|
|
|
ae2451 |
+ PyBuffer_Release(&view_a);
|
|
|
ae2451 |
+ return NULL;
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ if (PyObject_GetBuffer(b, &view_b, PyBUF_SIMPLE) == -1) {
|
|
|
ae2451 |
+ PyBuffer_Release(&view_a);
|
|
|
ae2451 |
+ return NULL;
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+ if (view_b.ndim > 1) {
|
|
|
ae2451 |
+ PyErr_SetString(PyExc_BufferError,
|
|
|
ae2451 |
+ "Buffer must be single dimension");
|
|
|
ae2451 |
+ PyBuffer_Release(&view_a);
|
|
|
ae2451 |
+ PyBuffer_Release(&view_b);
|
|
|
ae2451 |
+ return NULL;
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ rc = _tscmp((const unsigned char*)view_a.buf,
|
|
|
ae2451 |
+ (const unsigned char*)view_b.buf,
|
|
|
ae2451 |
+ view_a.len,
|
|
|
ae2451 |
+ view_b.len);
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ PyBuffer_Release(&view_a);
|
|
|
ae2451 |
+ PyBuffer_Release(&view_b);
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ return PyBool_FromLong(rc);
|
|
|
ae2451 |
+}
|
|
|
ae2451 |
+
|
|
|
ae2451 |
static struct PyMethodDef operator_methods[] = {
|
|
|
ae2451 |
|
|
|
ae2451 |
spam1o(isCallable,
|
|
|
ae2451 |
@@ -318,6 +444,8 @@ spam2(ne,__ne__, "ne(a, b) -- Same as a!
|
|
|
ae2451 |
spam2(gt,__gt__, "gt(a, b) -- Same as a>b.")
|
|
|
ae2451 |
spam2(ge,__ge__, "ge(a, b) -- Same as a>=b.")
|
|
|
ae2451 |
|
|
|
ae2451 |
+ {"_compare_digest", (PyCFunction)compare_digest, METH_VARARGS,
|
|
|
ae2451 |
+ compare_digest__doc__},
|
|
|
ae2451 |
{NULL, NULL} /* sentinel */
|
|
|
ae2451 |
|
|
|
ae2451 |
};
|
|
|
ae2451 |
|