[Python-checkins] cpython: Now that it's possible, avoid timing attacks in the crypt module examples)
nick.coghlan
python-checkins at python.org
Fri Sep 28 15:20:50 CEST 2012
http://hg.python.org/cpython/rev/1f6f7a97d277
changeset: 79204:1f6f7a97d277
parent: 79201:6ccb04c4cbae
user: Nick Coghlan <ncoghlan at gmail.com>
date: Fri Sep 28 18:50:38 2012 +0530
summary:
Now that it's possible, avoid timing attacks in the crypt module examples)
files:
Doc/library/crypt.rst | 10 +++++++---
Doc/library/crypto.rst | 1 +
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/Doc/library/crypt.rst b/Doc/library/crypt.rst
--- a/Doc/library/crypt.rst
+++ b/Doc/library/crypt.rst
@@ -121,11 +121,14 @@
Examples
--------
-A simple example illustrating typical use::
+A simple example illustrating typical use (a constant-time comparison
+operation is needed to limit exposure to timing attacks.
+:func:`hmac.compare_digest` is suitable for this purpose)::
import pwd
import crypt
import getpass
+ from hmac import compare_digest as compare_hash
def login():
username = input('Python login: ')
@@ -134,7 +137,7 @@
if cryptedpasswd == 'x' or cryptedpasswd == '*':
raise ValueError('no support for shadow passwords')
cleartext = getpass.getpass()
- return crypt.crypt(cleartext, cryptedpasswd) == cryptedpasswd
+ return compare_hash(crypt.crypt(cleartext, cryptedpasswd), cryptedpasswd)
else:
return True
@@ -142,7 +145,8 @@
check it against the original::
import crypt
+ from hmac import compare_digest as compare_hash
hashed = crypt.crypt(plaintext)
- if hashed != crypt.crypt(plaintext, hashed):
+ if not compare_hash(hashed, crypt.crypt(plaintext, hashed)):
raise ValueError("hashed version doesn't validate against original")
diff --git a/Doc/library/crypto.rst b/Doc/library/crypto.rst
--- a/Doc/library/crypto.rst
+++ b/Doc/library/crypto.rst
@@ -8,6 +8,7 @@
The modules described in this chapter implement various algorithms of a
cryptographic nature. They are available at the discretion of the installation.
+On Unix systems, the :mod:`crypt` module may also be available.
Here's an overview:
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list