The intended purpose of this string comparison is to explicitly compare every character. Doing it this way guards against timing attacks (http://en.wikipedia.org/wiki/Timing_attack).
--John On Sep 13, 2012, at 12:06 AM, Mike Green <[email protected]> wrote: > def streq_const_time(s1, s2): > > if len(s1) != len(s2): > return False > result = 0 > for (a, b) in zip(s1, s2): > result |= ord(a) ^ ord(b) > return result == 0 > > +++++++++++++++++++++++++++++++++++++++++ > > If s1 and s2 are of the same length, then the function will compare every > characters in them. I think it may be more efficient as follow: > > def streq_const_time(s1, s2): > > if len(s1) != len(s2): > return False > result = 0 > for (a, b) in zip(s1, s2): > if ord(a) ^ ord(b): > return False > return True _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
