From 526a1085d8cccc4e56d33e5c9b8b3921950f9d8b Mon Sep 17 00:00:00 2001
From: Eric Brown <ericwb@users.noreply.github.com>
Date: Fri, 14 Mar 2025 14:35:43 -0700
Subject: [PATCH] Update hmac_timing_attack.py

Signed-off-by: Eric Brown <ericwb@users.noreply.github.com>
---
 python/stdlib/hmac_timing_attack.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/python/stdlib/hmac_timing_attack.py b/python/stdlib/hmac_timing_attack.py
index b20f5c4..26c37dd 100644
--- a/python/stdlib/hmac_timing_attack.py
+++ b/python/stdlib/hmac_timing_attack.py
@@ -1,3 +1,6 @@
+# This example demostrates an insecure way of comparing a digest
+# that exposes the code to a timing attack. This is because using
+# equals operator on digest does not compare in constant time.
 import hmac
 
 
@@ -10,4 +13,5 @@
 password = b"pass"
 digest = hmac.digest(key, password, digest="sha224")
 
-return digest == received_digest
+if digest == received_digest:
+    print("Authentication okay")