Merge pull request #603 from mozilla-services/bug/571

bug: Check tokens in constant time
mozilla-services · Aug 17, 2016 · 7dc79e4 · 7dc79e4
2 parents 95d6d41 + ed7ce2b
commit 7dc79e4
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/autopush/endpoint.py b/autopush/endpoint.py
@@ -35,6 +35,7 @@
     ProvisionedThroughputExceededException,
 )
 from cryptography.fernet import InvalidToken
+from cryptography.hazmat.primitives import constant_time
 from twisted.internet.defer import Deferred
 from twisted.internet.threads import deferToThread
 
@@ -868,11 +869,11 @@ def _validate_auth(self, uaid):
         if token_type.lower() not in AUTH_SCHEMES:
             return False
         if self.ap_settings.bear_hash_key:
+            is_valid = False
             for key in self.ap_settings.bear_hash_key:
                 token = generate_hash(key, uaid)
-                if rtoken == token:
-                    return True
-            return False
+                is_valid |= constant_time.bytes_eq(rtoken, token)
+            return is_valid
         else:
             return True