openstack team mailing list archive

Thread
Date

Re: [swift] make swift.common.utils.streq_const_time more efficient

To: Mike Green <iasybvm@xxxxxxxxx>
From: John Dickinson <me@xxxxxx>
Date: Thu, 13 Sep 2012 09:01:25 -0700
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAHuH=0f-aepzR2SiuU27tTk0iGyEUStqRoisRmSHGM64qmFwMA@mail.gmail.com>

The intended purpose of this string comparison is to explicitly compare every character. Doing it this way guards against timing attacks (http://en.wikipedia.org/wiki/Timing_attack).

--John


On Sep 13, 2012, at 12:06 AM, Mike Green <iasybvm@xxxxxxxxx> wrote:

> def streq_const_time(s1, s2):
> 
>     if len(s1) != len(s2):
>         return False
>     result = 0
>     for (a, b) in zip(s1, s2):
>         result |= ord(a) ^ ord(b)
>     return result == 0
> 
> +++++++++++++++++++++++++++++++++++++++++
> 
> If s1 and s2 are of the same length,  then the function will compare every 
> characters in them.  I think it may be more efficient as follow:
> 
> def streq_const_time(s1, s2):
> 
>     if len(s1) != len(s2):
>         return False
>     result = 0
>     for (a, b) in zip(s1, s2):
>         if ord(a) ^ ord(b):
>           return False
>     return True _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References

[swift] make swift.common.utils.streq_const_time more efficient
From: Mike Green, 2012-09-13