I've got a generated MD5-hash, which I would like to compare to another MD5-hash from a string. The statement below is false, even though they look the same when you print them and should be true.
hashlib.md5("foo").hexdigest() == "acbd18db4cc2f85cedef654fccc4a4d8"
Google told me that I should encode the result from hexdigest(), since it doesn't return a string. However, the code below doesn't seem to work either.
hashlib.md5("foo").hexdigest().encode("utf-8") == "foo".encode("utf-8")
Python 2.7, .hexdigest() does return a str
>>> hashlib.md5("foo").hexdigest() == "acbd18db4cc2f85cedef654fccc4a4d8"
True
>>> type(hashlib.md5("foo").hexdigest())
<type 'str'>
Python 3.1
.md5() doesn't take a unicode (which "foo" is), so that needs to be encoded to a byte stream.
>>> hashlib.md5("foo").hexdigest()
Traceback (most recent call last):
File "<pyshell#1>", line 1, in <module>
hashlib.md5("foo").hexdigest()
TypeError: Unicode-objects must be encoded before hashing
>>> hashlib.md5("foo".encode("utf8")).hexdigest()
'acbd18db4cc2f85cedef654fccc4a4d8'
>>> hashlib.md5("foo".encode("utf8")).hexdigest() == 'acbd18db4cc2f85cedef654fccc4a4d8'
True
Using == for a hash comparison is likely a security vulnerability.
https://groups.google.com/forum/?fromgroups=#!topic/keyczar-discuss/VXHsoJSLKhM
It's possible for an attacker to look for timing differences and iterate through the keyspace efficiently and find a value that will pass the equality test.
hexdigest returns a string. Your first statement returns True in python-2.x.
In python-3.x you would need to encode argument to md5 function, in that case equality is also True. Without encoding it raises TypeError.