nova updated
This commit is contained in:
parent
6af601c156
commit
802d57fd9e
|
|
@ -0,0 +1,100 @@
|
||||||
|
From 3dd2cb0452b63d5de04606d79bbbf41a4e50a42a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Grant Murphy <gmurphy@redhat.com>
|
||||||
|
Date: Tue, 8 Jul 2014 03:35:40 +0000
|
||||||
|
Subject: [PATCH 1/1] Avoid possible timing attack in metadata api
|
||||||
|
|
||||||
|
Introduce a constant time comparison function to
|
||||||
|
nova utils for comparing authentication tokens.
|
||||||
|
Original code taken from:
|
||||||
|
|
||||||
|
https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/memcache_crypt.py#L86
|
||||||
|
|
||||||
|
Change-Id: I7374f2edc6f03c7da59cf73ae91a87147e53d0de
|
||||||
|
Closes-bug: #1325128
|
||||||
|
---
|
||||||
|
nova/api/metadata/handler.py | 3 ++-
|
||||||
|
nova/tests/test_utils.py | 7 +++++++
|
||||||
|
nova/utils.py | 27 +++++++++++++++++++++++++++
|
||||||
|
3 files changed, 36 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
|
||||||
|
index a14db67..be866ef 100644
|
||||||
|
--- a/nova/api/metadata/handler.py
|
||||||
|
+++ b/nova/api/metadata/handler.py
|
||||||
|
@@ -30,6 +30,7 @@ from nova import exception
|
||||||
|
from nova.openstack.common.gettextutils import _
|
||||||
|
from nova.openstack.common import log as logging
|
||||||
|
from nova.openstack.common import memorycache
|
||||||
|
+from nova import utils
|
||||||
|
from nova import wsgi
|
||||||
|
|
||||||
|
CACHE_EXPIRATION = 15 # in seconds
|
||||||
|
@@ -169,7 +170,7 @@ class MetadataRequestHandler(wsgi.Application):
|
||||||
|
instance_id,
|
||||||
|
hashlib.sha256).hexdigest()
|
||||||
|
|
||||||
|
- if expected_signature != signature:
|
||||||
|
+ if not utils.constant_time_compare(expected_signature, signature):
|
||||||
|
if instance_id:
|
||||||
|
LOG.warn(_('X-Instance-ID-Signature: %(signature)s does not '
|
||||||
|
'match the expected value: %(expected_signature)s '
|
||||||
|
diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py
|
||||||
|
index 59d08fd..c2969a6 100644
|
||||||
|
--- a/nova/tests/test_utils.py
|
||||||
|
+++ b/nova/tests/test_utils.py
|
||||||
|
@@ -979,3 +979,10 @@ class VersionTestCase(test.NoDBTestCase):
|
||||||
|
|
||||||
|
def test_convert_version_to_tuple(self):
|
||||||
|
self.assertEqual(utils.convert_version_to_tuple('6.7.0'), (6, 7, 0))
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class ConstantTimeCompareTestCase(test.NoDBTestCase):
|
||||||
|
+ def test_constant_time_compare(self):
|
||||||
|
+ self.assertTrue(utils.constant_time_compare("abcd1234", "abcd1234"))
|
||||||
|
+ self.assertFalse(utils.constant_time_compare("abcd1234", "a"))
|
||||||
|
+ self.assertFalse(utils.constant_time_compare("abcd1234", "ABCD234"))
|
||||||
|
diff --git a/nova/utils.py b/nova/utils.py
|
||||||
|
index 0c3ee94..7dfa0cc 100644
|
||||||
|
--- a/nova/utils.py
|
||||||
|
+++ b/nova/utils.py
|
||||||
|
@@ -21,6 +21,7 @@ import contextlib
|
||||||
|
import datetime
|
||||||
|
import functools
|
||||||
|
import hashlib
|
||||||
|
+import hmac
|
||||||
|
import inspect
|
||||||
|
import multiprocessing
|
||||||
|
import os
|
||||||
|
@@ -1170,3 +1171,29 @@ def cpu_count():
|
||||||
|
return multiprocessing.cpu_count()
|
||||||
|
except NotImplementedError:
|
||||||
|
return 1
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+# NOTE(gm) Constant time comparison taken from keystone. This is a
|
||||||
|
+# candidate for inclusion in oslo.
|
||||||
|
+#
|
||||||
|
+# Original code: master/keystoneclient/middleware/memcache_crypt.py#L86
|
||||||
|
+if sys.version_info >= (3, 3):
|
||||||
|
+ constant_time_compare = hmac.compare_digest
|
||||||
|
+else:
|
||||||
|
+ def constant_time_compare(first, second):
|
||||||
|
+ """Returns True if both string inputs are equal, otherwise False.
|
||||||
|
+
|
||||||
|
+ This function should take a constant amount of time regardless of
|
||||||
|
+ how many characters in the strings match.
|
||||||
|
+
|
||||||
|
+ """
|
||||||
|
+ if len(first) != len(second):
|
||||||
|
+ return False
|
||||||
|
+ result = 0
|
||||||
|
+ if six.PY3 and isinstance(first, bytes) and isinstance(second, bytes):
|
||||||
|
+ for x, y in zip(first, second):
|
||||||
|
+ result |= x ^ y
|
||||||
|
+ else:
|
||||||
|
+ for x, y in zip(first, second):
|
||||||
|
+ result |= ord(x) ^ ord(y)
|
||||||
|
+ return result == 0
|
||||||
|
--
|
||||||
|
1.9.3
|
||||||
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
# Copyright 1999-2014 Gentoo Foundation
|
# Copyright 1999-2014 Gentoo Foundation
|
||||||
# Distributed under the terms of the GNU General Public License v2
|
# Distributed under the terms of the GNU General Public License v2
|
||||||
# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2014.1.1.ebuild,v 1.2 2014/07/06 12:57:19 mgorny Exp $
|
# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2014.1.1-r1.ebuild,v 1.1 2014/07/17 07:06:48 prometheanfire Exp $
|
||||||
|
|
||||||
EAPI=5
|
EAPI=5
|
||||||
PYTHON_COMPAT=( python2_7 )
|
PYTHON_COMPAT=( python2_7 )
|
||||||
|
|
@ -75,6 +75,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
|
||||||
app-emulation/xen-tools )"
|
app-emulation/xen-tools )"
|
||||||
|
|
||||||
PATCHES=(
|
PATCHES=(
|
||||||
|
"${FILESDIR}/nova-2014.1.1-CVE-2014-3517.patch"
|
||||||
)
|
)
|
||||||
|
|
||||||
pkg_setup() {
|
pkg_setup() {
|
||||||
Loading…
Reference in New Issue