[Openstack] [swift] make swift.common.utils.streq_const_time more efficient
John Dickinson
me at not.mn
Thu Sep 13 16:01:25 UTC 2012
The intended purpose of this string comparison is to explicitly compare every character. Doing it this way guards against timing attacks (http://en.wikipedia.org/wiki/Timing_attack).
--John
On Sep 13, 2012, at 12:06 AM, Mike Green <iasybvm at gmail.com> wrote:
> def streq_const_time(s1, s2):
>
> if len(s1) != len(s2):
> return False
> result = 0
> for (a, b) in zip(s1, s2):
> result |= ord(a) ^ ord(b)
> return result == 0
>
> +++++++++++++++++++++++++++++++++++++++++
>
> If s1 and s2 are of the same length, then the function will compare every
> characters in them. I think it may be more efficient as follow:
>
> def streq_const_time(s1, s2):
>
> if len(s1) != len(s2):
> return False
> result = 0
> for (a, b) in zip(s1, s2):
> if ord(a) ^ ord(b):
> return False
> return True _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4329 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120913/f73dd90b/attachment.bin>
More information about the Openstack
mailing list