Message 163368 - Python tracker

Message163368

Author	serhiy.storchaka
Recipients	Jon.Oberheide, alex, christian.heimes, fijall, georg.brandl, hynek, loewis, ncoghlan, petri.lehtinen, pitrou, python-dev, serhiy.storchaka
Date	2012-06-21.21:09:34
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1340312987.2703.25.camel@raxxla>
In-reply-to	<4FE38B78.3080403@v.loewis.de>

Content
> You mean .encode()? Yes, of cause. timingsafe_eq(a.encode('ascii'), b.encode('ascii')). > > About code. Instead (PyBytes_CheckExact(a) && PyBytes_CheckExact(b)) you > > should use ((PyBytes_CheckExact(a) != 0) & (PyBytes_CheckExact(b) != > > 0)). > > What's the difference? They are the same. Laziness. If "a" (a secret key) is not bytes then PyBytes_CheckExact(b) ("b" is a user input) is not called. It exposes secret key type. I'm not sure if it is real secret however.

Content

> You mean .encode()?

Yes, of cause. timingsafe_eq(a.encode('ascii'), b.encode('ascii')).

> > About code. Instead (PyBytes_CheckExact(a) && PyBytes_CheckExact(b)) you
> > should use ((PyBytes_CheckExact(a) != 0) & (PyBytes_CheckExact(b) !=
> > 0)).
> 
> What's the difference? They are the same.

Laziness. If "a" (a secret key) is not bytes then PyBytes_CheckExact(b)
("b" is a user input) is not called. It exposes secret key type. I'm not
sure if it is real secret however.

History
Date	User	Action	Args
2012-06-21 21:09:35	serhiy.storchaka	set	recipients: + serhiy.storchaka, loewis, georg.brandl, ncoghlan, pitrou, christian.heimes, alex, fijall, python-dev, petri.lehtinen, hynek, Jon.Oberheide
2012-06-21 21:09:34	serhiy.storchaka	link	issue15061 messages
2012-06-21 21:09:34	serhiy.storchaka	create