--- a/components/openstack/nova/patches/07-CVE-2014-3517.patch	Fri Mar 20 03:13:26 2015 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,91 +0,0 @@
-This upstream patch addresses CVE-2014-3517 and is tracked under
-Launchpad bug 1325128. It is addressed in the Juno trunk, Icehouse
-2014.1.2, and Havana 2013.2.4. It has been modified to apply cleanly
-into our current Havana implementation
-
-commit 1dd97d1335f6ec028d0e4440250f80802a2f1d18
-Author: Grant Murphy <[email protected]>
-Date:   Tue Jul 8 03:35:40 2014 +0000
-
-    Avoid possible timing attack in metadata api
-    
-    Introduce a constant time comparison function to
-    nova utils for comparing authentication tokens.
-    
-    Conflicts:
-    	nova/tests/test_utils.py
-    	nova/utils.py
-    
-    Closes-bug: #1325128
-    Change-Id: I7374f2edc6f03c7da59cf73ae91a87147e53d0de
-    (cherry picked from commit 9f59ca751f1a392ef24d8ab73a7bf5ce9655017e)
-
-diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
-index 50387ab..74bb4f7 100644
---- a/nova/api/metadata/handler.py
-+++ b/nova/api/metadata/handler.py
-@@ -31,6 +31,7 @@ from nova import exception
- from nova.openstack.common.gettextutils import _
- from nova.openstack.common import log as logging
- from nova.openstack.common import memorycache
-+from nova import utils
- from nova import wsgi
- 
- CACHE_EXPIRATION = 15  # in seconds
-@@ -172,7 +173,7 @@ class MetadataRequestHandler(wsgi.Application):
-             instance_id,
-             hashlib.sha256).hexdigest()
- 
--        if expected_signature != signature:
-+        if not utils.constant_time_compare(expected_signature, signature):
-             if instance_id:
-                 LOG.warn(_('X-Instance-ID-Signature: %(signature)s does not '
-                            'match the expected value: %(expected_signature)s '
-diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py
-index b38ea50..820fe09 100644
---- a/nova/tests/test_utils.py
-+++ b/nova/tests/test_utils.py
-@@ -1083,3 +1083,10 @@ class GetImageFromSystemMetadataTestCase(test.NoDBTestCase):
- 
-         # Verify that the foo1 key has not been inherited
-         self.assertTrue("foo1" not in image)
-+
-+
-+class ConstantTimeCompareTestCase(test.NoDBTestCase):
-+    def test_constant_time_compare(self):
-+        self.assertTrue(utils.constant_time_compare("abcd1234", "abcd1234"))
-+        self.assertFalse(utils.constant_time_compare("abcd1234", "a"))
-+        self.assertFalse(utils.constant_time_compare("abcd1234", "ABCD234"))
-diff --git a/nova/utils.py b/nova/utils.py
-index 4757f3a..5f10a8a 100755
---- nova-2013.2.3/nova/utils.py.~2~	2014-09-02 13:57:46.030039835 -0700
-+++ nova-2013.2.3/nova/utils.py	2014-09-02 13:57:49.391998275 -0700
-@@ -23,6 +23,7 @@ import contextlib
- import datetime
- import functools
- import hashlib
-+import hmac
- import inspect
- import os
- import pyclbr
-@@ -1288,3 +1289,20 @@ def get_boolean(value):
-         return value
-     else:
-         return strutils.bool_from_string(value)
-+
-+if hasattr(hmac, 'compare_digest'):
-+    constant_time_compare = hmac.compare_digest
-+else:
-+    def constant_time_compare(first, second):
-+        """Returns True if both string inputs are equal, otherwise False.
-+
-+        This function should take a constant amount of time regardless of
-+        how many characters in the strings match.
-+
-+        """
-+        if len(first) != len(second):
-+            return False
-+        result = 0
-+        for x, y in zip(first, second):
-+            result |= ord(x) ^ ord(y)
-+        return result == 0