secretutils.constant_time_compare raise a exception

Bug #1772851 reported by zhouchangxun on 2018-05-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
oslo.utils
Undecided
zhouchangxun

Bug Description

see follow code:

```python
import hmac
from oslo_utils import secretutils

first = hmac.new('foo','hello').digest()
second = hmac.new('foo','world').digest()
print secretutils.constant_time_compare(first, second)
```

HMAC digest value is binary data('str' type in python2.x), not an ascii sequence,
so when using `constant_time_compare` compare two digest normally, it throw an
exception in position `first.encode('utf-8')`.
Exception message like this:
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xb7 in position 0: ordinal not in range(128)

I test it in centos 7.1.

Tags: bug Edit Tag help
Changed in oslo.utils:
assignee: nobody → zhouchangxun (zhouchangxun)
status: New → In Progress

Reviewed: https://review.openstack.org/570151
Committed: https://git.openstack.org/cgit/openstack/oslo.utils/commit/?id=e158c10ccb80963ad8009beedfc1fda4a74628d0
Submitter: Zuul
Branch: master

commit e158c10ccb80963ad8009beedfc1fda4a74628d0
Author: changxun <email address hidden>
Date: Wed May 23 17:13:47 2018 +0800

    Fix exception with secretutils

    1. There are some problems about the test method.
     problem 1:
      Unit tests may not cover our function, it depends on the python version
      that performed the test.
     problem 2:
      when using function 'constant_time_compare(first, second)', 'first' and
      'second' params are usually HMAC digest values, it is not appropriate to
      use utf-8 encoded values as mock data.

    2. The previous commit `f1d332a` lead into a bug, but due to the problem 1
       and the problem 2, we did not find out the error.

    Change-Id: I1c29bfe69f8eda60f3c5caaf3e5447dd5b69b108
    Closes-Bug: #1772851

Changed in oslo.utils:
status: In Progress → Fix Released

This issue was fixed in the openstack/oslo.utils 3.36.3 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers