This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ncoghlan
Recipients christian.heimes, fijall, hynek, loewis, ncoghlan, petri.lehtinen, pitrou, python-dev
Date 2012-06-15.12:16:10
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1339762571.55.0.30282178743.issue15061@psf.upfronthosting.co.za>
In-reply-to
Content
OK, the worst aspects (the misleading name and documentation) have been dealt with, so that leaves the questions of:

1. Avoiding leaking the length information (seems unnecessary, since most digests are part of protocols where they have a known, published length, or you can find out the length by looking at public source code)

2. Providing a C implementation via the operator module (given the restriction to bytes values, and the assumption of caching for all relevant integers, would a C reimplementation really be buying us much additional security?)

As far as restoring unicode support (even in a C implementation) goes, I actually don't like the idea. For the general unicode case, as suggested in the updated documentation for hexdigest(), I believe the better approach is to try to stay in the bytes domain as much as possible, and avoid having a Unicode->bytes conversion for the expected value anywhere in the comparison timing path.
History
Date User Action Args
2012-06-15 12:16:11ncoghlansetrecipients: + ncoghlan, loewis, pitrou, christian.heimes, fijall, python-dev, petri.lehtinen, hynek
2012-06-15 12:16:11ncoghlansetmessageid: <1339762571.55.0.30282178743.issue15061@psf.upfronthosting.co.za>
2012-06-15 12:16:10ncoghlanlinkissue15061 messages
2012-06-15 12:16:10ncoghlancreate