Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Construct HMAC as bytes on py3
Browse files Browse the repository at this point in the history
Signed-off-by: Adrian Tschira <nota@notafile.com>
  • Loading branch information
NotAFile committed Apr 28, 2018
1 parent 9558236 commit 1225932
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 11 deletions.
16 changes: 9 additions & 7 deletions synapse/rest/client/v1/register.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@
import hmac
import logging

from six import string_types

logger = logging.getLogger(__name__)


Expand Down Expand Up @@ -333,11 +335,11 @@ def _do_app_service(self, request, register_json, session):
def _do_shared_secret(self, request, register_json, session):
yield run_on_reactor()

if not isinstance(register_json.get("mac", None), basestring):
if not isinstance(register_json.get("mac", None), string_types):
raise SynapseError(400, "Expected mac.")
if not isinstance(register_json.get("user", None), basestring):
if not isinstance(register_json.get("user", None), string_types):
raise SynapseError(400, "Expected 'user' key.")
if not isinstance(register_json.get("password", None), basestring):
if not isinstance(register_json.get("password", None), string_types):
raise SynapseError(400, "Expected 'password' key.")

if not self.hs.config.registration_shared_secret:
Expand All @@ -358,14 +360,14 @@ def _do_shared_secret(self, request, register_json, session):
got_mac = str(register_json["mac"])

want_mac = hmac.new(
key=self.hs.config.registration_shared_secret,
key=self.hs.config.registration_shared_secret.encode(),
digestmod=sha1,
)
want_mac.update(user)
want_mac.update("\x00")
want_mac.update(b"\x00")
want_mac.update(password)
want_mac.update("\x00")
want_mac.update("admin" if admin else "notadmin")
want_mac.update(b"\x00")
want_mac.update(b"admin" if admin else b"notadmin")
want_mac = want_mac.hexdigest()

if compare_digest(want_mac, got_mac):
Expand Down
10 changes: 6 additions & 4 deletions synapse/rest/client/v2_alpha/register.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@
from synapse.util.async import run_on_reactor
from synapse.util.ratelimitutils import FederationRateLimiter

from six import string_types


# We ought to be using hmac.compare_digest() but on older pythons it doesn't
# exist. It's a _really minor_ security flaw to use plain string comparison
Expand Down Expand Up @@ -210,14 +212,14 @@ def on_POST(self, request):
# in sessions. Pull out the username/password provided to us.
desired_password = None
if 'password' in body:
if (not isinstance(body['password'], basestring) or
if (not isinstance(body['password'], string_types) or
len(body['password']) > 512):
raise SynapseError(400, "Invalid password")
desired_password = body["password"]

desired_username = None
if 'username' in body:
if (not isinstance(body['username'], basestring) or
if (not isinstance(body['username'], string_types) or
len(body['username']) > 512):
raise SynapseError(400, "Invalid username")
desired_username = body['username']
Expand All @@ -243,7 +245,7 @@ def on_POST(self, request):

access_token = get_access_token_from_request(request)

if isinstance(desired_username, basestring):
if isinstance(desired_username, string_types):
result = yield self._do_appservice_registration(
desired_username, access_token, body
)
Expand Down Expand Up @@ -464,7 +466,7 @@ def _do_shared_secret_registration(self, username, password, body):
# includes the password and admin flag in the hashed text. Why are
# these different?
want_mac = hmac.new(
key=self.hs.config.registration_shared_secret,
key=self.hs.config.registration_shared_secret.encode(),
msg=user,
digestmod=sha1,
).hexdigest()
Expand Down

0 comments on commit 1225932

Please sign in to comment.