-
-
Notifications
You must be signed in to change notification settings - Fork 31k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hmac.compare_digest could try harder to be constant-time. #84968
Comments
In particular, when for (i=0; i < length; i++) {
result |= *left++ ^ *right++;
}
return (result == 0); into (the moral equivalent of) this: for (i=0; i < length; i++) {
result |= *left++ ^ *right++;
if (result) {
for (; ++i < length;) {
*left++; *right++;
}
return 1;
}
}
return (result == 0); (Code not tested.) This might not seem like much, but it cuts out almost all of the data dependencies between (This is different from saying that it _would_ increase performance, but marking it volatile removes the worry.) (Prior art/discussion: tink-crypto/tink@335291c ) I propose two changes, one trivial, and one that's more invasive:
|
+1 for both of these suggestions |
Christian - Devin could likely use some help with the build/ifdef plumbing required for (2) to use CRYPTO_memcmp from Modules/_operator.c when OpenSSL is available. |
GPS, I got you covered :) CRYPTO_memcmp() was on my TODO list for a while. Thanks for nagging me. _operator is a built-in module. I don't want to add libcrypto dependency to libpython. I copied the code, made some adjustments and added it to _hashopenssl.c. |
Greg, is #64655 a bug fix / security enhancement or a new feature? I'm hesitant to backport it to 3.7 and 3.8. 3.9 might be ok. |
I'd feel fine doing that for 3.9 given 3.9.0 is only in beta and this changes no public APIs. For 3.8 and 3.7 i wouldn't. Be sure to update the versionchanged in the docs if you choose to do it for 3.9. |
Any reason this wasn't backported to 3.6? FWICS it's supposed to be security supported still. |
Just an oversight. Thanks for pointing it out. |
CVE-2022-48566 was assigned to this. I wasn't involved in the assignment, posting here for reference only. |
Also seems to be this: GHSA-cgfh-jp5w-8cmx |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: