[issue15061] hmac.secure_compare() leaks information about length of strings

[Antoine Pitrou]

Antoine Pitrou <pitrou at free.fr> added the comment:

> I could wrap up a quick C implementation if you like. The operator
> module is a better place for a total_compare() function. Do you a
> agree?

I think the function is fine in either hashlib or hmac. Putting it in
one of these modules is a hint that it's security-related. On the other
hand, linking to it from these modules' documentations is just as fine,
if it is put in the operator module.

If you make a C implementation, it could also be interesting to cover
the pure-ASCII unicode case.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue15061>
_______________________________________