[Python-Dev] Should secrets include a fallback for hmac.compare_digest?
Steven D'Aprano
steve at pearwood.info
Fri Apr 15 00:52:54 EDT 2016
Now that PEP 506 has been approved, I've checked in the secrets module,
but an implementation question has come up regarding compare_digest.
Currently, the module tries to import hmac.compare_digest, and if that
fails, then it falls back to a Python version. But since compare_digest
has been available since 3.3, I'm now questioning whether the fallback
is useful at all. Perhaps for alternate Python implementations?
So, two questions:
- should secrets include a fallback?
- if so, what is the preferred way of doing this?
# option 1: fallback if compare_digest is missing
try:
from hmac import compare_digest
except ImportError:
def compare_digest(a, b):
...
# option 2: "C accelerator idiom"
def compare_digest(a, b):
...
try:
from hmac import compare_digest
except ImportError:
pass
Option 1 is closer to how I would write hybrid 2/3 code, but option 2 is
how PEP 399 suggests it should be written.
https://www.python.org/dev/peps/pep-0399/
Currently, hmac imports compare_digest from _operator. There's no Python
version in operator either. Should there be?
--
Steve
More information about the Python-Dev
mailing list