@@ -54,11 +54,10 @@ An HMAC object has the following methods:
5454
5555 .. warning ::
5656
57- The output of :meth: `hexdigest ` should not be compared directly to an
58- externally-supplied digest during a verification routine. Instead, the
59- externally supplied digest should be converted to a :class: `bytes `
60- value and compared to the output of :meth: `digest ` with
61- :func: `compare_digest `.
57+ When comparing the output of :meth: `hexdigest ` to an externally-supplied
58+ digest during a verification routine, it is recommended to use the
59+ :func: `compare_digest ` function instead of the ``== `` operator
60+ to reduce the vulnerability to timing attacks.
6261
6362
6463.. method :: HMAC.copy()
@@ -72,11 +71,11 @@ This module also provides the following helper function:
7271.. function :: compare_digest(a, b)
7372
7473 Return ``a == b ``. This function uses an approach designed to prevent timing
75- analysis by avoiding content based short circuiting behaviour. The inputs
76- must either both support the buffer protocol (e.g. :class: ` bytes ` and
77- :class: ` bytearray ` instances) or be ASCII-only : class:str ` instances as
78- returned by :meth: `hexdigest `. :class: ` bytes ` and :class: ` str ` instances
79- can't be mixed .
74+ analysis by avoiding content based short circuiting behaviour, making it
75+ appropriate for cryptography. * a * and * b *
76+ must both be of the same type: either : class:str ` (ASCII only, as e.g.
77+ returned by :meth: `HMAC. hexdigest), or any type that supports the
78+ :term: ` buffer protocol ` (e.g. :class: ` bytes `) .
8079
8180 Using a short circuiting comparison (that is, one that terminates as soon as
8281 it finds any difference between the values) to check digests for correctness
0 commit comments