From 600e9a16f17a143e89e1fcebf31f0100e27528e1 Mon Sep 17 00:00:00 2001
From: sand <sand@autistici.org>
Date: Sat, 19 Apr 2014 13:12:45 +0200
Subject: [PATCH] use a constant-time comparison function to check user
 passwords

---
 authserv/auth.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/authserv/auth.py b/authserv/auth.py
index f62993a..904631e 100644
--- a/authserv/auth.py
+++ b/authserv/auth.py
@@ -1,10 +1,11 @@
 import crypt
+from werkzeug.security import safe_str_cmp
 from authserv.oath import accept_totp
 from authserv import protocol
 
 
 def _check_main_password(userpw, password):
-    if crypt.crypt(password, userpw) == userpw:
+    if safe_str_cmp(crypt.crypt(password, userpw), userpw):
         return protocol.OK
     else:
         return protocol.ERR_AUTHENTICATION_FAILURE
@@ -12,7 +13,7 @@ def _check_main_password(userpw, password):
 
 def _check_app_specific_password(asps, password):
     for app_pw in asps:
-        if crypt.crypt(password, app_pw) == app_pw:
+        if safe_str_cmp(crypt.crypt(password, app_pw), app_pw):
             return protocol.OK
     return protocol.ERR_AUTHENTICATION_FAILURE
 
-- 
GitLab