[Python-Dev] Should secrets include a fallback for hmac.compare_digest?
Steven D'Aprano
steve at pearwood.info
Fri Apr 15 05:21:55 EDT 2016
On Fri, Apr 15, 2016 at 10:26:31AM +0200, Victor Stinner wrote:
> It's easy to implement this function (in the native language of your Python
> implemenation), it's short. I'm not sure that a Python version is really
> safe.
>
> The secrets module is for Python 3.6, in this version the hmac already
> "requires" the compare_digest() function no?
The current version looks like this:
try:
from hmac import compare_digest
except ImportError:
# fallback version defined
but I'm having second thoughts about this. I don't think it needs to
support older versions of Python, but perhaps it needs to support
implementations which don't include compare_digest?
This isn't just a question about the secrets module. PEP 399 suggests
than any C classes/functions should have a pure Python version as
fallback, but compare_digest doesn't. I don't know whether it should or
not.
https://www.python.org/dev/peps/pep-0399/
--
Steve
More information about the Python-Dev
mailing list