OpenStack Compute (nova)

  1. Bug #1325128
  2. Comment #20

Comment 20 for bug 1325128

Revision history for this message
Grant Murphy (gmurphy) wrote : Re: nova metadata does not use a constant time compare for validating an HMAC token (CVE-2014-3517)

FWIW Keystone uses a slightly more comprehensive approach than the proposed patch -

https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/memcache_crypt.py#L88

We should probably at least fall back to hmac.compare_digest if it is available.