From 57f3b3fdc5056d85946b2b9ca89e1b8f88cb8ff8 Mon Sep 17 00:00:00 2001
From: Predrag Gruevski <predrag@kensho.com>
Date: Mon, 21 Sep 2015 18:51:47 -0400
Subject: SubjectKeyIdentifier equality now uses constant-time digest
 comparison.

---
 src/cryptography/x509/extensions.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index 803d7ec5..6f3cad6d 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -15,7 +15,7 @@ from pyasn1.type import namedtype, univ
 import six
 
 from cryptography import utils
-from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives import serialization, constant_time
 from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
 from cryptography.x509.name import Name
 from cryptography.x509.oid import (
@@ -193,9 +193,7 @@ class SubjectKeyIdentifier(object):
         if not isinstance(other, SubjectKeyIdentifier):
             return NotImplemented
 
-        return (
-            self.digest == other.digest
-        )
+        return constant_time.bytes_eq(self.digest, other.digest)
 
     def __ne__(self, other):
         return not self == other
-- 
cgit v1.2.3