[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH mediagoblin 1/1] Replace authentication hash comparison code to u
|
From: |
~andrew-dudash |
|
Subject: |
[PATCH mediagoblin 1/1] Replace authentication hash comparison code to use a constant time string comparison. Docker debian 11 tests are passing. |
|
Date: |
Tue, 11 Apr 2023 10:16:09 -0400 |
From: Drew <andrew.dudash@protonmail.com>
Pros:
- The code is shorter.
- The new dependency is part of the standard library.
Cons:
- We're dependent on the standard library implementation of HMAC now. (Should
be fine?)
---
mediagoblin/plugins/basic_auth/tools.py | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/mediagoblin/plugins/basic_auth/tools.py
b/mediagoblin/plugins/basic_auth/tools.py
index 96690379..8dbe2c47 100644
--- a/mediagoblin/plugins/basic_auth/tools.py
+++ b/mediagoblin/plugins/basic_auth/tools.py
@@ -15,6 +15,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import bcrypt
import random
+import hmac
from mediagoblin import mg_globals
from mediagoblin.tools.crypto import get_timed_signer_url
@@ -45,16 +46,7 @@ def bcrypt_check_password(raw_pass, stored_hash,
extra_salt=None):
hashed_pass = bcrypt.hashpw(raw_pass, stored_hash)
- # Reduce risk of timing attacks by hashing again with a random
- # number (thx to zooko on this advice, which I hopefully
- # incorporated right.)
- #
- # See also:
- rand_salt = bcrypt.gensalt(5)
- randplus_stored_hash = bcrypt.hashpw(stored_hash, rand_salt)
- randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
-
- return randplus_stored_hash == randplus_hashed_pass
+ return hmac.compare_digest(hashed_pass, stored_pass)
def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
--
2.38.4