[Python-Dev] Should secrets include a fallback for hmac.compare_digest? (original) (raw)

Steven D'Aprano steve at pearwood.info
Fri Apr 15 05:21:55 EDT 2016

• Previous message (by thread): [Python-Dev] Should secrets include a fallback for hmac.compare_digest?
• Next message (by thread): [Python-Dev] Should secrets include a fallback for hmac.compare_digest?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 15, 2016 at 10:26:31AM +0200, Victor Stinner wrote:

It's easy to implement this function (in the native language of your Python implemenation), it's short. I'm not sure that a Python version is really safe.

The secrets module is for Python 3.6, in this version the hmac already "requires" the comparedigest() function no?

The current version looks like this:

try: from hmac import compare_digest except ImportError:

fallback version defined

but I'm having second thoughts about this. I don't think it needs to support older versions of Python, but perhaps it needs to support implementations which don't include compare_digest?

This isn't just a question about the secrets module. PEP 399 suggests than any C classes/functions should have a pure Python version as fallback, but compare_digest doesn't. I don't know whether it should or not.

https://www.python.org/dev/peps/pep-0399/

-- Steve

• Previous message (by thread): [Python-Dev] Should secrets include a fallback for hmac.compare_digest?
• Next message (by thread): [Python-Dev] Should secrets include a fallback for hmac.compare_digest?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list