oslo.utils

secretutils.constant_time_compare raise a exception

Bug #1772851 reported by zhouchangxun on 2018-05-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	oslo.utils	Fix Released	Undecided	zhouchangxun

Bug Description

see follow code:

```python
import hmac
from oslo_utils import secretutils

first = hmac.new('foo','hello').digest()
second = hmac.new('foo','world').digest()
print secretutils.constant_time_compare(first, second)
```

HMAC digest value is binary data('str' type in python2.x), not an ascii sequence,
so when using `constant_time_compare` compare two digest normally, it throw an
exception in position `first.encode('utf-8')`.
Exception message like this:
UnicodeDecodeError: 'ascii' codec can't decode byte 0xb7 in position 0: ordinal not in range(128)

I test it in centos 7.1.

Tags:

zhouchangxun (zhouchangxun) on 2018-05-23

Changed in oslo.utils:
assignee:	nobody → zhouchangxun (zhouchangxun)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-23: Fix proposed to oslo.utils (master)

Fix proposed to branch: master
Review: https://review.openstack.org/570151

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-14: Fix merged to oslo.utils (master)

Reviewed: https://review.openstack.org/570151
Committed: https://git.openstack.org/cgit/openstack/oslo.utils/commit/?id=e158c10ccb80963ad8009beedfc1fda4a74628d0
Submitter: Zuul
Branch: master

commit e158c10ccb80963ad8009beedfc1fda4a74628d0
Author: changxun <email address hidden>
Date: Wed May 23 17:13:47 2018 +0800

Fix exception with secretutils

    1. There are some problems about the test method.
     problem 1:
      Unit tests may not cover our function, it depends on the python version
      that performed the test.
     problem 2:
      when using function 'constant_time_compare(first, second)', 'first' and
      'second' params are usually HMAC digest values, it is not appropriate to
      use utf-8 encoded values as mock data.

2. The previous commit `f1d332a` lead into a bug, but due to the problem 1
and the problem 2, we did not find out the error.

Change-Id: I1c29bfe69f8eda60f3c5caaf3e5447dd5b69b108
Closes-Bug: #1772851