upstream/oracle/userland-gate: components/openstack/nova/patches/07-CVE-2014-3517.patch@96440b7aa33e (annotated)

2084 88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	1	This upstream patch addresses CVE-2014-3517 and is tracked under
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	2	Launchpad bug 1325128. It is addressed in the Juno trunk, Icehouse
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	3	2014.1.2, and Havana 2013.2.4. It has been modified to apply cleanly
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	4	into our current Havana implementation
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	5
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	6	commit 1dd97d1335f6ec028d0e4440250f80802a2f1d18
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	7	Author: Grant Murphy <[email protected]>
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	8	Date: Tue Jul 8 03:35:40 2014 +0000
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	9
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	10	Avoid possible timing attack in metadata api
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	11
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	12	Introduce a constant time comparison function to
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	13	nova utils for comparing authentication tokens.
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	14
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	15	Conflicts:
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	16	nova/tests/test_utils.py
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	17	nova/utils.py
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	18
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	19	Closes-bug: #1325128
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	20	Change-Id: I7374f2edc6f03c7da59cf73ae91a87147e53d0de
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	21	(cherry picked from commit 9f59ca751f1a392ef24d8ab73a7bf5ce9655017e)
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	22
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	23	diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	24	index 50387ab..74bb4f7 100644
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	25	--- a/nova/api/metadata/handler.py
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	26	+++ b/nova/api/metadata/handler.py
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	27	@@ -31,6 +31,7 @@ from nova import exception
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	28	from nova.openstack.common.gettextutils import _
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	29	from nova.openstack.common import log as logging
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	30	from nova.openstack.common import memorycache
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	31	+from nova import utils
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	32	from nova import wsgi
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	33
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	34	CACHE_EXPIRATION = 15 # in seconds
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	35	@@ -172,7 +173,7 @@ class MetadataRequestHandler(wsgi.Application):
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	36	instance_id,
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	37	hashlib.sha256).hexdigest()
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	38
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	39	- if expected_signature != signature:
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	40	+ if not utils.constant_time_compare(expected_signature, signature):
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	41	if instance_id:
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	42	LOG.warn(_('X-Instance-ID-Signature: %(signature)s does not '
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	43	'match the expected value: %(expected_signature)s '
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	44	diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	45	index b38ea50..820fe09 100644
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	46	--- a/nova/tests/test_utils.py
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	47	+++ b/nova/tests/test_utils.py
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	48	@@ -1083,3 +1083,10 @@ class GetImageFromSystemMetadataTestCase(test.NoDBTestCase):
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	49
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	50	# Verify that the foo1 key has not been inherited
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	51	self.assertTrue("foo1" not in image)
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	52	+
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	53	+
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	54	+class ConstantTimeCompareTestCase(test.NoDBTestCase):
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	55	+ def test_constant_time_compare(self):
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	56	+ self.assertTrue(utils.constant_time_compare("abcd1234", "abcd1234"))
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	57	+ self.assertFalse(utils.constant_time_compare("abcd1234", "a"))
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	58	+ self.assertFalse(utils.constant_time_compare("abcd1234", "ABCD234"))
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	59	diff --git a/nova/utils.py b/nova/utils.py
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	60	index 4757f3a..5f10a8a 100755
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	61	--- nova-2013.2.3/nova/utils.py.~2~ 2014-09-02 13:57:46.030039835 -0700
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	62	+++ nova-2013.2.3/nova/utils.py 2014-09-02 13:57:49.391998275 -0700
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	63	@@ -23,6 +23,7 @@ import contextlib
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	64	import datetime
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	65	import functools
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	66	import hashlib
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	67	+import hmac
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	68	import inspect
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	69	import os
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	70	import pyclbr
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	71	@@ -1288,3 +1289,20 @@ def get_boolean(value):
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	72	return value
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	73	else:
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	74	return strutils.bool_from_string(value)
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	75	+
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	76	+if hasattr(hmac, 'compare_digest'):
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	77	+ constant_time_compare = hmac.compare_digest
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	78	+else:
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	79	+ def constant_time_compare(first, second):
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	80	+ """Returns True if both string inputs are equal, otherwise False.
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	81	+
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	82	+ This function should take a constant amount of time regardless of
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	83	+ how many characters in the strings match.
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	84	+
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	85	+ """
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	86	+ if len(first) != len(second):
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	87	+ return False
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	88	+ result = 0
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	89	+ for x, y in zip(first, second):
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	90	+ result \|= ord(x) ^ ord(y)
88af15a9e9da 19273013 problem in SERVICE/NOVA david.comay@oracle.com parents: diff changeset	91	+ return result == 0

author	John Beck <John.Beck@Oracle.COM>
	Thu, 09 Oct 2014 18:23:12 -0700
changeset 2144	96440b7aa33e
parent 2084	88af15a9e9da
permissions	-rw-r--r--