Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why create potentially large bytes objects initialized with null bytes ? #10

Closed
joergschulz opened this issue Sep 6, 2023 · 2 comments
Closed

Why create potentially large bytes objects initialized with null bytes ? #10

joergschulz opened this issue Sep 6, 2023 · 2 comments

Comments

@joergschulz
Copy link
Contributor

otpauth/src/otpauth/rfc6238.py

Line 43 in 22368eb

return hmac.compare_digest(bytes(self.generate(timestamp)), bytes(code))

hmac.compare_digest() accepts either str or bytes and python doc says it should be used to lower the risk of timing attacks.

But what's the purpose of creating potentially large bytes objects initialized with null bytes ?

Shouldn't be simply the strings of the codes be compared ?
@lepture
Copy link
Member

lepture commented Sep 7, 2023

Oh, you are right. This is certainly a wrong way. You're welcome to send a PR.

@joergschulz joergschulz mentioned this issue Sep 7, 2023
Merged
@lepture
Copy link
Member

lepture commented Sep 9, 2023

2.1.1 released

@lepture lepture closed this as completed Sep 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lepture @joergschulz