mirror of
https://github.com/borgbackup/borg.git
synced 2024-12-25 01:06:50 +00:00
use hmac.compare_digest instead of == operator
this is available in python 3.3+
This commit is contained in:
parent
9fa18c9ee9
commit
2cc0225527
1 changed files with 9 additions and 5 deletions
14
borg/key.py
14
borg/key.py
|
@ -4,7 +4,7 @@
|
|||
import os
|
||||
import sys
|
||||
import textwrap
|
||||
from hmac import HMAC
|
||||
from hmac import HMAC, compare_digest
|
||||
from hashlib import sha256
|
||||
|
||||
from .helpers import IntegrityError, get_keys_dir, Error
|
||||
|
@ -134,13 +134,17 @@ def encrypt(self, data):
|
|||
def decrypt(self, id, data):
|
||||
if data[0] != self.TYPE:
|
||||
raise IntegrityError('Invalid encryption envelope')
|
||||
hmac = memoryview(data)[1:33]
|
||||
if memoryview(HMAC(self.enc_hmac_key, memoryview(data)[33:], sha256).digest()) != hmac:
|
||||
hmac_given = memoryview(data)[1:33]
|
||||
hmac_computed = memoryview(HMAC(self.enc_hmac_key, memoryview(data)[33:], sha256).digest())
|
||||
if not compare_digest(hmac_computed, hmac_given):
|
||||
raise IntegrityError('Encryption envelope checksum mismatch')
|
||||
self.dec_cipher.reset(iv=PREFIX + data[33:41])
|
||||
data = self.compressor.decompress(self.dec_cipher.decrypt(data[41:]))
|
||||
if id and HMAC(self.id_key, data, sha256).digest() != id:
|
||||
raise IntegrityError('Chunk id verification failed')
|
||||
if id:
|
||||
hmac_given = id
|
||||
hmac_computed = HMAC(self.id_key, data, sha256).digest()
|
||||
if not compare_digest(hmac_computed, hmac_given):
|
||||
raise IntegrityError('Chunk id verification failed')
|
||||
return data
|
||||
|
||||
def extract_nonce(self, payload):
|
||||
|
|
Loading…
Reference in a new issue