Re: streql - Constant-time string comparison
On Tue, Oct 28, 2014 at 12:08 PM, Riley Baird
<BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch> wrote:
> Dear debian-security,
>
> I am looking for a sponsor for my package "streql".
>
> In Python, the code for testing the equality of strings is susceptible
> to a "timing side channel attack". The package 'streql' provides a
> function for comparing strings of equal length in equal time, regardless
> of the content of the strings.
>
> * Package name : streql
> Version : 3.0.2-1
> Upstream Author : Peter Scott <peter@cueup.com>
> * URL : https://github.com/PeterScott/streql
> * License : Apache 2.0
> Section : python
>
> It builds those binary packages:
>
> python-streql - Constant-time string comparison (Python 2)
> python3-streql - Constant-time string comparison (Python 3)
> pypy-streql - Constant-time string comparison (PyPy)
>
> To access further information about this package, please visit the following
> URL:
>
> http://mentors.debian.net/package/streql
>
> Alternatively, one can download the package with dget using this command:
>
> dget -x
> http://mentors.debian.net/debian/pool/main/s/streql/streql_3.0.2-1.dsc
>
> Changes since last upload:
>
> * Initial release (Closes: #764443)
>
> Regards,
> Riley Baird
Let me try this suggestion again:
-----------------------
// The core function: test two regions of memory for bytewise equality.
static int equals_internal(const char *x, unsigned int xlen, const
char *y, unsigned int ylen) {
int minlen = ( xlen > ylen ) ? ylen : xlen;
int i, result = 0;
for (i = 0; i < minlen; i++) result |= x[i] ^ y[i];
return ( xlen == ylen ) && ( result == 0 );
-----------------------
I haven't tested it, but I think the corner case I'm thinking about is
fairly clear.
--
Joel Rees
Reply to: