> The file is targeted for Objects/stringlib/timingsafe.h.
stringlib is for type-generic functions, so I don't think it should be
put there.
> - I only handle exact byte or unicode types (no subclasses) since a
> user may have overwritten __eq__ and I don't want to special case it.
We could handle all bytes-compatible objects, using the buffer API.
> - The unicode path works only with compact ASCII strings. I'm not
> familiar with the new API so please scream if I did it wrong.
It looks ok to me.
> Where should I place the function? hashlib would be a nice place but
> there are multiple backends for hashlib. _hashopenssl.c seems wrong.
Well, if it's meant to be a private function called from hmac, where
it's defined is an implementation detail. I think practicality beats
purity, so _hashopenssl is a good enough place.