New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conch MAC verification should use cryptography #8199
Comments
This seems like a good idea; on Python3.6+, we could also use |
Maybe related #4536 |
Replying to Adi Roiban: Yes I think this is a subset of [#4536](#4536) (as is another open PR, for ticket #10086, which is disjoint from this one). I think a lot of the concerns in #4536 disappear with the availability of The PR I submitted for this ticket just covers the couple cases in conch, which are I think more straightforward to resolve than a few of the other sensitive comparisons in Twisted. Hopefully this can chip away at the variety of comparisons mentioned by #4536 until that ticket is easier to resolve. |
In changeset 65f382f
|
Currently verification is done using
==
; this is bad because it is not a constant-time comparison. Cryptography's HMAC objects have averify()
method that does the right thing, as well as a general-purpose constant-time comparison, so now that we use Cryptography for the rest of our crypto, we should just use these.Searchable metadata
The text was updated successfully, but these errors were encountered: