Issue #15061: Don't oversell the capabilities of the new non-shortcircuiting comparison function in hmac

author: Nick Coghlan <ncoghlan@gmail.com> 2012-06-15 11:14:08 (GMT)
committer: Nick Coghlan <ncoghlan@gmail.com> 2012-06-15 11:14:08 (GMT)
commit: 807770ec1bead8aff0716384621638ed80e9f56b (patch)
tree: 92340839af07f9033c315292b9bb1eb9a777b9b8 /Lib
parent: 307693a8bb3b5b5ff2e3a0d5a0a837289e4de8be (diff)
download: cpython-807770ec1bead8aff0716384621638ed80e9f56b.zip
cpython-807770ec1bead8aff0716384621638ed80e9f56b.tar.gz
cpython-807770ec1bead8aff0716384621638ed80e9f56b.tar.bz2
2 files changed, 37 insertions, 35 deletions
diff --git a/Lib/hmac.py b/Lib/hmac.py
index 13ffdbe..e47965b 100644
--- a/Lib/hmac.py
+++ b/Lib/hmac.py
@@ -13,24 +13,24 @@ trans_36 = bytes((x ^ 0x36) for x in range(256))
 digest_size = None
 
 
-def secure_compare(a, b):
-    """Returns the equivalent of 'a == b', but using a time-independent
-    comparison method to prevent timing attacks."""
-    if not ((isinstance(a, str) and isinstance(b, str)) or
-            (isinstance(a, bytes) and isinstance(b, bytes))):
-        raise TypeError("inputs must be strings or bytes")
-
+def compare_digest(a, b):
+    """Returns the equivalent of 'a == b', but avoids content based short
+    circuiting to reduce the vulnerability to timing attacks."""
+    # Consistent timing matters more here than data type flexibility
+    if not (isinstance(a, bytes) and isinstance(b, bytes)):
+        raise TypeError("inputs must be bytes instances")
+
+    # We assume the length of the expected digest is public knowledge,
+    # thus this early return isn't leaking anything an attacker wouldn't
+    # already know
     if len(a) != len(b):
         return False
 
+    # We assume that integers in the bytes range are all cached,
+    # thus timing shouldn't vary much due to integer object creation
     result = 0
-    if isinstance(a, bytes):
-        for x, y in zip(a, b):
-            result |= x ^ y
-    else:
-        for x, y in zip(a, b):
-            result |= ord(x) ^ ord(y)
-
+    for x, y in zip(a, b):
+        result |= x ^ y
     return result == 0
 
 
diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
index 042bc5d..4e5961d 100644
--- a/Lib/test/test_hmac.py
+++ b/Lib/test/test_hmac.py
@@ -302,40 +302,42 @@ class CopyTestCase(unittest.TestCase):
         self.assertEqual(h1.hexdigest(), h2.hexdigest(),
             "Hexdigest of copy doesn't match original hexdigest.")
 
-class SecureCompareTestCase(unittest.TestCase):
+class CompareDigestTestCase(unittest.TestCase):
 
     def test_compare(self):
         # Testing input type exception handling
         a, b = 100, 200
-        self.assertRaises(TypeError, hmac.secure_compare, a, b)
-        a, b = 100, "foobar"
-        self.assertRaises(TypeError, hmac.secure_compare, a, b)
+        self.assertRaises(TypeError, hmac.compare_digest, a, b)
+        a, b = 100, b"foobar"
+        self.assertRaises(TypeError, hmac.compare_digest, a, b)
+        a, b = b"foobar", 200
+        self.assertRaises(TypeError, hmac.compare_digest, a, b)
         a, b = "foobar", b"foobar"
-        self.assertRaises(TypeError, hmac.secure_compare, a, b)
+        self.assertRaises(TypeError, hmac.compare_digest, a, b)
+        a, b = b"foobar", "foobar"
+        self.assertRaises(TypeError, hmac.compare_digest, a, b)
+        a, b = "foobar", "foobar"
+        self.assertRaises(TypeError, hmac.compare_digest, a, b)
+        a, b = bytearray(b"foobar"), bytearray(b"foobar")
+        self.assertRaises(TypeError, hmac.compare_digest, a, b)
 
-        # Testing str/bytes of different lengths
-        a, b = "foobar", "foo"
-        self.assertFalse(hmac.secure_compare(a, b))
+        # Testing bytes of different lengths
         a, b = b"foobar", b"foo"
-        self.assertFalse(hmac.secure_compare(a, b))
+        self.assertFalse(hmac.compare_digest(a, b))
         a, b = b"\xde\xad\xbe\xef", b"\xde\xad"
-        self.assertFalse(hmac.secure_compare(a, b))
+        self.assertFalse(hmac.compare_digest(a, b))
 
-        # Testing str/bytes of same lengths, different values
-        a, b = "foobar", "foobaz"
-        self.assertFalse(hmac.secure_compare(a, b))
+        # Testing bytes of same lengths, different values
         a, b = b"foobar", b"foobaz"
-        self.assertFalse(hmac.secure_compare(a, b))
+        self.assertFalse(hmac.compare_digest(a, b))
         a, b = b"\xde\xad\xbe\xef", b"\xab\xad\x1d\xea"
-        self.assertFalse(hmac.secure_compare(a, b))
+        self.assertFalse(hmac.compare_digest(a, b))
 
-        # Testing str/bytes of same lengths, same values
-        a, b = "foobar", "foobar"
-        self.assertTrue(hmac.secure_compare(a, b))
+        # Testing bytes of same lengths, same values
         a, b = b"foobar", b"foobar"
-        self.assertTrue(hmac.secure_compare(a, b))
+        self.assertTrue(hmac.compare_digest(a, b))
         a, b = b"\xde\xad\xbe\xef", b"\xde\xad\xbe\xef"
-        self.assertTrue(hmac.secure_compare(a, b))
+        self.assertTrue(hmac.compare_digest(a, b))
 
 def test_main():
     support.run_unittest(
@@ -343,7 +345,7 @@ def test_main():
         ConstructorTestCase,
         SanityTestCase,
         CopyTestCase,
-        SecureCompareTestCase
+        CompareDigestTestCase
     )
 
 if __name__ == "__main__":
author	Nick Coghlan <ncoghlan@gmail.com>	2012-06-15 11:14:08 (GMT)
committer	Nick Coghlan <ncoghlan@gmail.com>	2012-06-15 11:14:08 (GMT)
commit	807770ec1bead8aff0716384621638ed80e9f56b (patch)
tree	92340839af07f9033c315292b9bb1eb9a777b9b8 /Lib
parent	307693a8bb3b5b5ff2e3a0d5a0a837289e4de8be (diff)
download	cpython-807770ec1bead8aff0716384621638ed80e9f56b.zip cpython-807770ec1bead8aff0716384621638ed80e9f56b.tar.gz cpython-807770ec1bead8aff0716384621638ed80e9f56b.tar.bz2