Christian Heimes added the comment:
Python 3.3 contains a secure and working implementation for bytes. unicode
isn't supported unless both sides contains ASCII text only.
--
resolution: - fixed
stage: - committed/rejected
status: open - closed
___
Christian Heimes li...@cheimes.de added the comment:
Nick has pushed a patch in rf36af3766a20 that disables the comparison of
unicode strings. See #15061
--
dependencies: +hmac.secure_compare() leaks information about length of strings
___
Python
Nick Coghlan ncogh...@gmail.com added the comment:
As a result of the discussions on #15061, I removed unicode comparison support
altogether in f36af3766a20 (updating the warning on the hexdigest() method
accordingly).
Are folks happy to close this issue on that basis? (I'll raise the
Jon Oberheide j...@oberheide.org added the comment:
Sounds good to me, Nick.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14955
___
___
Antoine Pitrou pit...@free.fr added the comment:
With PEP 393 unicode objects can have several representations, which makes it
unlikely that *really* constant-timing functions can be devised.
However, a C version could provide some guarantees, by raising an error if the
passed unicode strings
Changes by Hynek Schlawack h...@ox.cx:
--
nosy: +hynek
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14955
___
___
Python-bugs-list mailing list
Christian Heimes li...@cheimes.de added the comment:
The second patch looks fine.
--
nosy: +christian.heimes
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14955
___
Jon Oberheide j...@oberheide.org added the comment:
Thanks for the feedback, haypo. I've updated the patch to use unicode-internal.
As long as the encode() of the expected non-attacker-controlled digest is not
dependent on the actual contents of the digest, we should be good.
--
Added
STINNER Victor victor.stin...@gmail.com added the comment:
I'm not sure that encoding to UTF-8 is time indenpendant. You may try UTF-32-LE
or unicode-internal?
--
nosy: +haypo
___
Python tracker rep...@bugs.python.org
New submission from Jon Oberheide j...@oberheide.org:
Hi all,
I was informed that the hmac.secure_compare() function added in 14532 is not
time-independent when processing unicode values:
The function as given is probably not timing independent if the attacker can
provide unicode values.
10 matches
Mail list logo