@@ -54,11 +54,10 @@ An HMAC object has the following methods:
5454
5555 .. warning ::
5656
57- The output of :meth: `hexdigest ` should not be compared directly to an
58- externally-supplied digest during a verification routine. Instead, the
59- externally supplied digest should be converted to a :class: `bytes `
60- value and compared to the output of :meth: `digest ` with
61- :func: `compare_digest `.
57+ When comparing the output of :meth: `hexdigest ` to an externally-supplied
58+ digest during a verification routine, it is recommended to use the
59+ :func: `compare_digest ` function instead of the ``== `` operator
60+ to reduce the vulnerability to timing attacks.
6261
6362
6463.. method :: HMAC.copy()
@@ -71,32 +70,16 @@ This module also provides the following helper function:
7170
7271.. function :: compare_digest(a, b)
7372
74- Returns the equivalent of ``a == b ``, but avoids content based
75- short circuiting behaviour to reduce the vulnerability to timing
76- analysis. The inputs must either both support the buffer protocol (e.g.
77- :class: `bytes ` and :class: `bytearray ` instances) or be ASCII only
78- :class: `str ` instances as returned by :meth: `hexdigest `.
79- :class: `bytes ` and :class: `str ` instances can't be mixed.
80-
81- Using a short circuiting comparison (that is, one that terminates as soon
82- as it finds any difference between the values) to check digests for
83- correctness can be problematic, as it introduces a potential
84- vulnerability when an attacker can control both the message to be checked
85- *and * the purported signature value. By keeping the plaintext consistent
86- and supplying different signature values, an attacker may be able to use
87- timing variations to search the signature space for the expected value in
88- O(n) time rather than the desired O(2**n).
73+ Return ``a == b ``. This function uses an approach designed to prevent
74+ timing analysis, making it appropriate for cryptography. *a * and *b *
75+ must both be of the same type: either :class: `str ` (ASCII only, as e.g.
76+ returned by :meth: `HMAC.hexdigest `), or any type that supports the
77+ :term: `buffer protocol ` (e.g. :class: `bytes `).
8978
9079 .. note ::
91-
92- While this function reduces the likelihood of leaking the contents of
93- the expected digest via a timing attack, it still may leak some timing
94- information when the input values differ in lengths as well as in error
95- cases like unsupported types or non ASCII strings. When the inputs have
96- different length the timing depends solely on the length of ``b ``. It
97- is assumed that the expected length of the digest is not a secret, as
98- it is typically published as part of a file format, network protocol
99- or API definition.
80+ If *a * and *b * are different lengths, or if an error occurs,
81+ a timing attack may be able to infer information about the types
82+ and lengths of *a * and *b *, but not their values.
10083
10184 .. versionadded :: 3.3
10285
0 commit comments