Comment 7 for bug 1325128
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: nova metadata does not use a constant time compare for validating an HMAC token | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
So it seems there's some consensus that this is not generally exploitable and can instead be fixed in public as a hardening measure?
As for adding a constant time comparison to oslo, are there not already existing Python modules which can provide that so we don't reinvent the wheel (the age old adage of not rolling one's own crypto primitives seems applicable here, even if this isn't strictly a cryptographic matter)?