indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Avoid providing password hash match timing clues

merge-requests/30/head
Bob Mottram 2020-09-03 19:13:29 +01:00
parent 6568be91ff
commit 7e87bbe2aa
2 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
auth.py
View File

@ -10,6 +10,7 @@ import base64
import hashlib import hashlib
import binascii import binascii
import os import os
import secrets
def hashPassword(password: str) -> str: def hashPassword(password: str) -> str:
@ -32,6 +33,7 @@ def getPasswordHash(salt: str, providedPassword: str) -> str:
100000) 100000)
return binascii.hexlify(pwdhash).decode('ascii') return binascii.hexlify(pwdhash).decode('ascii')
def verifyPassword(storedPassword: str, providedPassword: str) -> bool: def verifyPassword(storedPassword: str, providedPassword: str) -> bool:
"""Verify a stored password against one provided by user """Verify a stored password against one provided by user
""" """
@ -54,6 +56,10 @@ def verifyPassword(storedPassword: str, providedPassword: str) -> bool:
for ch in pwHash: for ch in pwHash:
if ch != storedPassword[ctr]: if ch != storedPassword[ctr]:
matched = False matched = False
else:
# this is to make the timing more even
# and not provide clues
matched = matched
ctr += 1 ctr += 1
return matched return matched

1
tests.py
View File

@ -2084,6 +2084,7 @@ def testTranslations():
print(englishStr + ' is missing from ' + lang + '.json') print(englishStr + ' is missing from ' + lang + '.json')
assert langJson.get(englishStr) assert langJson.get(englishStr)
def runAllTests(): def runAllTests():
print('Running tests...') print('Running tests...')
testTranslations() testTranslations()