Use hmac compare_digest to check password

2025-03-12 04:35:40 -07:00 · 2021-07-22 17:47:27 -07:00 · 2021-07-22 17:47:27 -07:00 · 3c1417108d
commit 3c1417108d
parent 81ff471149
1 changed files with 2 additions and 6 deletions
--- a/lib/hashing_passwords.py
+++ b/lib/hashing_passwords.py
@ -20,6 +20,7 @@ import hashlib
 from os import urandom
 from base64 import b64encode, b64decode
 from hashlib import pbkdf2_hmac
+from hmac import compare_digest


 # Parameters to PBKDF2. Only affect new passwords.
@ -53,9 +54,4 @@ def check_hash(password, hash_):
    hash_a = b64decode(hash_a.encode('utf-8'))
    hash_b = pbkdf2_hmac(hash_function, password, salt.encode('utf-8'), int(cost_factor), len(hash_a))
    assert len(hash_a) == len(hash_b)  # we requested this from pbkdf2_bin()
-    # Same as "return hash_a == hash_b" but takes a constant time.
-    # See http://carlos.bueno.org/2011/10/timing.html
-    diff = 0
-    for char_a, char_b in zip(bytearray(hash_a), bytearray(hash_b)):
-        diff |= char_a ^ char_b
-    return diff == 0
+    return compare_digest(hash_a, hash_b)