Use hmac.compare_digest()

pinterest / pinball

Pinball is a scalable workflow manager

Apache License 2.0

1.05k stars 130 forks source link

Use hmac.compare_digest() #85

Closed EdOverflow closed 7 years ago

EdOverflow commented 7 years ago

Since all checks have passed, can we merge this PR?

jparise commented 7 years ago

@EdOverflow, because this function was introduced in Python 2.7.7, could you add a little bit of fallback logic? For example:

try:
    from hmac import compare_digest
except ImportError:
    def compare_digest(a, b):
        return a == b

EdOverflow commented 7 years ago

Good idea @jparise! The only thing I want to do a bit differently is make sure that the fallback is also a constant time comparison:

try:
    from hmac import compare_digest
except ImportError:
    def compare_digest(a, b):
        if len(a) != len(b):
            return False
        result = 0
        for x, y in zip(a, b):
            result |= ord(x) ^ ord(y)
        return result == 0

jparise commented 7 years ago

Thanks @EdOverflow!