[Python-Dev] Should secrets include a fallback for hmac.compare_digest? (original) (raw)
Steven D'Aprano steve at pearwood.info
Fri Apr 15 00:52:54 EDT 2016
- Previous message (by thread): [Python-Dev] RFC: PEP 509: Add a private version to dict
- Next message (by thread): [Python-Dev] Should secrets include a fallback for hmac.compare_digest?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Now that PEP 506 has been approved, I've checked in the secrets module, but an implementation question has come up regarding compare_digest.
Currently, the module tries to import hmac.compare_digest, and if that fails, then it falls back to a Python version. But since compare_digest has been available since 3.3, I'm now questioning whether the fallback is useful at all. Perhaps for alternate Python implementations?
So, two questions:
should secrets include a fallback?
if so, what is the preferred way of doing this?
option 1: fallback if compare_digest is missing
try: from hmac import compare_digest except ImportError: def compare_digest(a, b): ...
option 2: "C accelerator idiom"
def compare_digest(a, b): ...
try: from hmac import compare_digest except ImportError: pass
Option 1 is closer to how I would write hybrid 2/3 code, but option 2 is how PEP 399 suggests it should be written.
https://www.python.org/dev/peps/pep-0399/
Currently, hmac imports compare_digest from _operator. There's no Python version in operator either. Should there be?
-- Steve
- Previous message (by thread): [Python-Dev] RFC: PEP 509: Add a private version to dict
- Next message (by thread): [Python-Dev] Should secrets include a fallback for hmac.compare_digest?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]