This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients Jon.Oberheide, alex, christian.heimes, fijall, georg.brandl, hynek, loewis, ncoghlan, petri.lehtinen, pitrou, python-dev, serhiy.storchaka
Date 2012-06-21.22:40:28
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1340318434.96.0.298431922884.issue15061@psf.upfronthosting.co.za>
In-reply-to
Content 
I'm a bit rusty and I hope I got it right. The ASCII unicode case is a good idea and IMO timing safe. The buffer path is also timing safe once I have both views. 

The function leaks some timing information when an error occurs. Since the timing just reveals minimal information about the involved types and none about the bytes it's IMO safe. The acquiring of the buffer views may leak an unknown amount of timing data which may be an issue. The comparison is still safe.

I've introduced a new module _hashlibfb (fb = fallback) for systems without openssl. I'm also open for a completely new module for future implementation of other digest, key derivation (PBKDF2) and password related C code.
History
Date User Action Args
2012-06-21 22:40:35christian.heimessetrecipients: + christian.heimes, loewis, georg.brandl, ncoghlan, pitrou, alex, fijall, python-dev, petri.lehtinen, hynek, serhiy.storchaka, Jon.Oberheide
2012-06-21 22:40:34christian.heimessetmessageid: <1340318434.96.0.298431922884.issue15061@psf.upfronthosting.co.za>
2012-06-21 22:40:34christian.heimeslinkissue15061 messages
2012-06-21 22:40:33christian.heimescreate