Use constant time comparison when available (#59)

* Use constant time comparison when available

* Update setup.py

Author: svedi

cryptolens_python2.py

@@ -81,11 +81,17 @@ def EMSA_PKCS1_V15_ENCODE(M, emLen):
     def RSAASSA_PKCS1_V15_VERIFY((n,e), M, S):
         s = HelperMethods.OS2IP(S)
         m = HelperMethods.RSAVP1((n,e), s)
-        if m is None:return False
+        if m is None: return False
         EM = HelperMethods.I2OSP(m, 256)
         if EM is None: return False
-        EM2 = HelperMethods.EMSA_PKCS1_V15_ENCODE(M, 256)  # Can return None, but it's OK since EM is not None
-        return EM == EM2
+        EM2 = HelperMethods.EMSA_PKCS1_V15_ENCODE(M, 256)
+        if EM2 is None: return False
+
+        try:
+            import hmac
+            return hmac.compare_digest(EM, EM2)
+        except (ImportError, AttributeError):
+            return EM == EM2
 
 
     @staticmethod
@@ -590,4 +596,4 @@ def from_string(rsaPubKeyString):
             <RSAKeyValue><Modulus>...</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>
         """
         rsaKey = xml.etree.ElementTree.fromstring(rsaPubKeyString)
-        return RSAPublicKey(rsaKey.find('Modulus').text, rsaKey.find('Exponent').text)
+        return RSAPublicKey(rsaKey.find('Modulus').text, rsaKey.find('Exponent').text)

licensing/internal.py

@@ -91,9 +91,15 @@ def RSAASSA_PKCS1_V15_VERIFY(pair, M, S):
         if m is None: return False
         EM = HelperMethods.I2OSP(m, 256)
         if EM is None: return False
-        EM2 = HelperMethods.EMSA_PKCS1_V15_ENCODE(M, 256)  # Can return None, but it's OK since EM is not None
-        return EM == EM2
-    
+        EM2 = HelperMethods.EMSA_PKCS1_V15_ENCODE(M, 256)
+        if EM2 is None: return False
+
+        try:
+            import hmac
+            return hmac.compare_digest(EM, EM2)
+        except (ImportError, AttributeError):
+            return EM == EM2
+
     @staticmethod
     def verify_signature(response, rsaPublicKey):       
         """

setup.py

@@ -2,13 +2,13 @@
 setup(
   name = 'licensing',         # How you named your package folder (MyLib)
   packages = ['licensing'],   # Chose the same as "name"
-  version = '0.39',      # Start with a small number and increase it with every change you make
+  version = '0.40',      # Start with a small number and increase it with every change you make
   license='MIT',        # Chose a license from here: https://help.github.com/articles/licensing-a-repository
   description = 'Client library for Cryptolens licensing Web API.',   # Give a short description about your library
   author = 'Cryptolens AB',                   # Type in your name
   author_email = '[email protected]',      # Type in your E-Mail
   url = 'https://cryptolens.io',   # Provide either the link to your github or to your website
-  download_url = 'https://github.com/Cryptolens/cryptolens-python/archive/v_39.tar.gz',    # I explain this later on
+  download_url = 'https://github.com/Cryptolens/cryptolens-python/archive/v_40.tar.gz',    # I explain this later on
   keywords = ['software licensing', 'licensing library', 'cryptolens'],   # Keywords that define your package best
   classifiers=[
     #'Development Status :: 5 - Stable',      # Chose either "3 - Alpha", "4 - Beta" or "5 - Production/Stable" as the current state of your package