Armin Rigo added the comment:
fijal: while I agree with you, the limit for small ints has actually been
pushed to 257 in recent CPythons. So it should still theoretically work --- of
course, assuming a predictable CPU, which is wrong, and assuming a simple
interpreter. (We can probably dig
Hynek Schlawack added the comment:
We should. Adding secure functions that aren't really secure is something we
should rather avoid. :)
Christian, are you willing to do that?
--
components: +Library (Lib) -IO
nosy: +hynek
stage: patch review -> needs patch
type: behavior -> security
v
Maciej Fijalkowski added the comment:
secure_compare leaks the password always. Note that it takes different time to
create a result of ord() depending whether it's <=100 or > 100 due to caching
of small numbers. Such functions should be written in C.
--
nosy: +fijall
___
New submission from Christian Heimes :
The secure_compare() function immediately returns False when both strings don't
have equal length. With the patch the run time of secure_compare() always
depends on the length of the right side. It no longer gives away information
about the length of the
