From 9d7aeff7b19aabacecdb42d86af15bdb45e01e20 Mon Sep 17 00:00:00 2001 From: Jeff Forcier Date: Fri, 14 Feb 2014 11:52:00 -0800 Subject: [PATCH 1/2] Use constant time hash comparisons for improved security. See e.g. http://codahale.com/a-lesson-in-timing-attacks/ Mega thanks to Alex Gaynor for the original patch. --- paramiko/hostkeys.py | 4 ++-- paramiko/packet.py | 2 +- paramiko/util.py | 9 +++++++++ 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/paramiko/hostkeys.py b/paramiko/hostkeys.py index f967a3d..c34b173 100644 --- a/paramiko/hostkeys.py +++ b/paramiko/hostkeys.py @@ -28,7 +28,7 @@ import UserDict from paramiko.common import * from paramiko.dsskey import DSSKey from paramiko.rsakey import RSAKey -from paramiko.util import get_logger +from paramiko.util import get_logger, constant_time_bytes_eq class InvalidHostKey(Exception): @@ -243,7 +243,7 @@ class HostKeys (UserDict.DictMixin): entries = [] for e in self._entries: for h in e.hostnames: - if (h.startswith('|1|') and (self.hash_host(hostname, h) == h)) or (h == hostname): + if h.startswith('|1|') and constant_time_bytes_eq(self.hash_host(hostname, h), h) or h == hostname: entries.append(e) if len(entries) == 0: return None diff --git a/paramiko/packet.py b/paramiko/packet.py index 3f85d66..dce4383 100644 --- a/paramiko/packet.py +++ b/paramiko/packet.py @@ -358,7 +358,7 @@ class Packetizer (object): mac = post_packet[:self.__mac_size_in] mac_payload = struct.pack('>II', self.__sequence_number_in, packet_size) + packet my_mac = compute_hmac(self.__mac_key_in, mac_payload, self.__mac_engine_in)[:self.__mac_size_in] - if my_mac != mac: + if not util.constant_time_bytes_eq(my_mac, mac): raise SSHException('Mismatched MAC') padding = ord(packet[0]) payload = packet[1:packet_size - padding] diff --git a/paramiko/util.py b/paramiko/util.py index 85ee6b0..9db512d 100644 --- a/paramiko/util.py +++ b/paramiko/util.py @@ -309,3 +309,12 @@ class Counter (object): def new(cls, nbits, initial_value=1L, overflow=0L): return cls(nbits, initial_value=initial_value, overflow=overflow) new = classmethod(new) + + +def constant_time_bytes_eq(a, b): + if len(a) != len(b): + return False + res = 0 + for i in xrange(len(a)): + res |= ord(a[i]) ^ ord(b[i]) + return res == 0 From 30518280f1356465f0acfdb4816843b61303a633 Mon Sep 17 00:00:00 2001 From: Jeff Forcier Date: Fri, 14 Feb 2014 11:53:42 -0800 Subject: [PATCH 2/2] Changelog re hash comparison bugfix --- sites/www/changelog.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index c26b996..fa58c5f 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,10 @@ Changelog ========= +* :bug:`-` Use constant-time hash comparison operations where possible, to + protect against `timing-based attacks + `_. Thanks to Alex Gaynor + for the patch. * :release:`1.10.6 <2014-02-14>` * :bug:`34` (PR :issue:`35`) Fix SFTP prefetching incompatibility with some SFTP servers regarding request/response ordering. Thanks to Richard