Merge pull request #3156 from NotAFile/py3-hmac-bytes

Construct HMAC as bytes on py3
This commit is contained in:
Richard van der Hoff 2018-04-30 00:33:20 +01:00 committed by GitHub
commit 1315d374cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 11 deletions

View File

@ -30,6 +30,8 @@ from hashlib import sha1
import hmac import hmac
import logging import logging
from six import string_types
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -333,11 +335,11 @@ class RegisterRestServlet(ClientV1RestServlet):
def _do_shared_secret(self, request, register_json, session): def _do_shared_secret(self, request, register_json, session):
yield run_on_reactor() yield run_on_reactor()
if not isinstance(register_json.get("mac", None), basestring): if not isinstance(register_json.get("mac", None), string_types):
raise SynapseError(400, "Expected mac.") raise SynapseError(400, "Expected mac.")
if not isinstance(register_json.get("user", None), basestring): if not isinstance(register_json.get("user", None), string_types):
raise SynapseError(400, "Expected 'user' key.") raise SynapseError(400, "Expected 'user' key.")
if not isinstance(register_json.get("password", None), basestring): if not isinstance(register_json.get("password", None), string_types):
raise SynapseError(400, "Expected 'password' key.") raise SynapseError(400, "Expected 'password' key.")
if not self.hs.config.registration_shared_secret: if not self.hs.config.registration_shared_secret:
@ -358,14 +360,14 @@ class RegisterRestServlet(ClientV1RestServlet):
got_mac = str(register_json["mac"]) got_mac = str(register_json["mac"])
want_mac = hmac.new( want_mac = hmac.new(
key=self.hs.config.registration_shared_secret, key=self.hs.config.registration_shared_secret.encode(),
digestmod=sha1, digestmod=sha1,
) )
want_mac.update(user) want_mac.update(user)
want_mac.update("\x00") want_mac.update(b"\x00")
want_mac.update(password) want_mac.update(password)
want_mac.update("\x00") want_mac.update(b"\x00")
want_mac.update("admin" if admin else "notadmin") want_mac.update(b"admin" if admin else b"notadmin")
want_mac = want_mac.hexdigest() want_mac = want_mac.hexdigest()
if compare_digest(want_mac, got_mac): if compare_digest(want_mac, got_mac):

View File

@ -35,6 +35,8 @@ from hashlib import sha1
from synapse.util.async import run_on_reactor from synapse.util.async import run_on_reactor
from synapse.util.ratelimitutils import FederationRateLimiter from synapse.util.ratelimitutils import FederationRateLimiter
from six import string_types
# We ought to be using hmac.compare_digest() but on older pythons it doesn't # We ought to be using hmac.compare_digest() but on older pythons it doesn't
# exist. It's a _really minor_ security flaw to use plain string comparison # exist. It's a _really minor_ security flaw to use plain string comparison
@ -210,14 +212,14 @@ class RegisterRestServlet(RestServlet):
# in sessions. Pull out the username/password provided to us. # in sessions. Pull out the username/password provided to us.
desired_password = None desired_password = None
if 'password' in body: if 'password' in body:
if (not isinstance(body['password'], basestring) or if (not isinstance(body['password'], string_types) or
len(body['password']) > 512): len(body['password']) > 512):
raise SynapseError(400, "Invalid password") raise SynapseError(400, "Invalid password")
desired_password = body["password"] desired_password = body["password"]
desired_username = None desired_username = None
if 'username' in body: if 'username' in body:
if (not isinstance(body['username'], basestring) or if (not isinstance(body['username'], string_types) or
len(body['username']) > 512): len(body['username']) > 512):
raise SynapseError(400, "Invalid username") raise SynapseError(400, "Invalid username")
desired_username = body['username'] desired_username = body['username']
@ -243,7 +245,7 @@ class RegisterRestServlet(RestServlet):
access_token = get_access_token_from_request(request) access_token = get_access_token_from_request(request)
if isinstance(desired_username, basestring): if isinstance(desired_username, string_types):
result = yield self._do_appservice_registration( result = yield self._do_appservice_registration(
desired_username, access_token, body desired_username, access_token, body
) )
@ -464,7 +466,7 @@ class RegisterRestServlet(RestServlet):
# includes the password and admin flag in the hashed text. Why are # includes the password and admin flag in the hashed text. Why are
# these different? # these different?
want_mac = hmac.new( want_mac = hmac.new(
key=self.hs.config.registration_shared_secret, key=self.hs.config.registration_shared_secret.encode(),
msg=user, msg=user,
digestmod=sha1, digestmod=sha1,
).hexdigest() ).hexdigest()