[New-bugs-announce] [issue15061] hmac.secure_compare() leaks information of length of strings

Christian Heimes report at bugs.python.org
Thu Jun 14 01:00:24 CEST 2012

New submission from Christian Heimes <lists at cheimes.de>:

The secure_compare() function immediately returns False when both strings don't have equal length. With the patch the run time of secure_compare() always depends on the length of the right side. It no longer gives away information about the length of the left side.

The patch should be applied in combination with the patch in issue #14955.

components: IO
files: secure_compare_length.patch
keywords: needs review, patch
messages: 162739
nosy: christian.heimes
priority: normal
severity: normal
stage: patch review
status: open
title: hmac.secure_compare() leaks information of  length of strings
type: behavior
versions: Python 3.4
Added file: http://bugs.python.org/file26003/secure_compare_length.patch

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list