[issue15061] hmac.secure_compare() leaks information about length of strings

Martin v . Löwis Sat, 23 Jun 2012 13:42:45 -0700

Martin v. Löwis <mar...@v.loewis.de> added the comment:

>>> About code. Instead (PyBytes_CheckExact(a) && PyBytes_CheckExact(b)) you
>>> should use ((PyBytes_CheckExact(a) != 0) & (PyBytes_CheckExact(b) !=
>>> 0)).
>>
>> What's the difference? They are the same.
> 
> Laziness. If "a" (a secret key) is not bytes then PyBytes_CheckExact(b)
> ("b" is a user input) is not called. It exposes secret key type. I'm not
> sure if it is real secret however.


I see; I missed that your version was using &. In any case, I don't
think this is a threat: you couldn't use it to get the secret key
faster.

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue15061>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15061] hmac.secure_compare() leaks information about length of strings

Reply via email to