Avoid providing password hash match timing clues

2020-09-03 19:13:29 +01:00 · 2020-09-03 19:13:29 +01:00 · 7e87bbe2aa
parent 6568be91ff
commit 7e87bbe2aa
2 changed files with 7 additions and 0 deletions
--- a/auth.py
+++ b/auth.py
@ -10,6 +10,7 @@ import base64
 import hashlib
 import binascii
 import os
+import secrets


 def hashPassword(password: str) -> str:
@ -32,6 +33,7 @@ def getPasswordHash(salt: str, providedPassword: str) -> str:
                                  100000)
    return binascii.hexlify(pwdhash).decode('ascii')

+
 def verifyPassword(storedPassword: str, providedPassword: str) -> bool:
    """Verify a stored password against one provided by user
    """
@ -54,6 +56,10 @@ def verifyPassword(storedPassword: str, providedPassword: str) -> bool:
    for ch in pwHash:
        if ch != storedPassword[ctr]:
            matched = False
+        else:
+            # this is to make the timing more even
+            # and not provide clues
+            matched = matched
        ctr += 1
    return matched

--- a/tests.py
+++ b/tests.py
@ -2084,6 +2084,7 @@ def testTranslations():
                print(englishStr + ' is missing from ' + lang + '.json')
            assert langJson.get(englishStr)

+
 def runAllTests():
    print('Running tests...')
    testTranslations()