From c6a2823a8c8d6cac38851def4312b86e4faf5705 Mon Sep 17 00:00:00 2001
From: Eric Brown <ericwb@users.noreply.github.com>
Date: Fri, 14 Mar 2025 22:21:25 -0700
Subject: [PATCH] Update hmac_timing_attack.py

Signed-off-by: Eric Brown <ericwb@users.noreply.github.com>
---
 python/stdlib/hmac_timing_attack.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/python/stdlib/hmac_timing_attack.py b/python/stdlib/hmac_timing_attack.py
index b20f5c4..34178a9 100644
--- a/python/stdlib/hmac_timing_attack.py
+++ b/python/stdlib/hmac_timing_attack.py
@@ -1,3 +1,6 @@
+# This example demostrates an insecure way of comparing a digest
+# that exposes the code to a timing attack. This is because using
+# equals operator on digest does not compare in constant time.
 import hmac
 
 
@@ -6,8 +9,9 @@
     b"\xf5\x10>\xdbf\xa2\xaf\xf7x\xcdX\xdf"
 )
 
-key = b"my-secret-key"
+key = b"my-super-secret-key"
 password = b"pass"
 digest = hmac.digest(key, password, digest="sha224")
 
-return digest == received_digest
+if digest == received_digest:
+    print("Authentication okay")