Git-Mirrors/onionshare
1
0
Fork 0
mirror of https://github.com/onionshare/onionshare.git synced 2025-01-12 15:59:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

Use constant-time string comparison (fixes #3)

Browse Source 
Note: this isn't 100% constant-time, as can be seen here:

http://bugs.python.org/issue15061

Specifically: "Note that it takes different time to create a result of ord() depending whether it's <=100 or > 100 due to caching of small numbers."
This commit is contained in:
Andrew 2014-05-21 15:30:26 -07:00
parent a12dd0c4a9
commit 70a64b6b1a
1 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
onionshare.py
View File

@ -15,18 +15,21 @@ app = Flask(__name__)
auth_username = auth_password = filename = filehash = filesize = '' auth_username = auth_password = filename = filehash = filesize = ''
def check_auth(username, password): def is_equal(a, b):
global auth_username, auth_password """Constant-time string comparison"""
if len(a) != len(b):
if len(username) != 16 or len(password) != 16:
return False return False
# constant time string comparison, to prevent timing attacks result = 0
valid = True for x, y in zip(a, b):
for i in range(16): result |= ord(x) ^ ord(y)
if username[i] != auth_username[i] or password[i] != auth_password[i]: return result == 0
valid = False
return valid def check_auth(username, password):
global auth_username, auth_password
usernames_equal = is_equal(username, auth_username)
passwords_equal = is_equal(password, auth_password)
return usernames_equal & passwords_equal
def authenticate(): def authenticate():
return Response( return Response(