[Git][NTPsec/ntpsec][master] plyib: also support == for packet hash check ...
Eric S. Raymond
gitlab at mg.gitlab.com
Thu Sep 3 09:27:30 UTC 2020
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
68f46247 by James Browning at 2020-09-02T23:32:39-07:00
plyib: also support == for packet hash check ...
Python 2.7.7 and 3.3 support hmac.compare_digest otherwise ==
the hmac function runs in slower but (in theory) immune to timing attacks
probably not practical when len and contents available to the machine
- - - - -
1 changed file:
- pylib/packet.py
Changes:
=====================================
pylib/packet.py
=====================================
@@ -1765,6 +1765,10 @@ class Authenticator:
ntp.poly.polybytes(passwd), keytype)
if not mac2:
return False
- return hmac.compare_digest(mac, mac2)
+ # typically prefered to avoid timing attacks client-side (in theory)
+ try:
+ return hmac.compare_digest(mac, mac2) # supported 2.7.7+ and 3.3+
+ except AttributeError:
+ return mac == mac2 # solves issue #666
# end
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/68f46247045ee38d1e12d76a2c4977fe45deaca3
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/68f46247045ee38d1e12d76a2c4977fe45deaca3
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200903/9e799f8c/attachment-0001.htm>
More information about the vc
mailing list