use a constant-time comparison function to check user passwords

600e9a16 · sand · 4b349a40 · 600e9a16
Commit 600e9a16 authored 11 years ago by sand
--- a/authserv/auth.py
+++ b/authserv/auth.py
 import crypt
+from werkzeug.security import safe_str_cmp
 from authserv.oath import accept_totp
 from authserv import protocol


 def _check_main_password(userpw, password):
-    if crypt.crypt(password, userpw) == userpw:
+    if safe_str_cmp(crypt.crypt(password, userpw), userpw):
        return protocol.OK
    else:
        return protocol.ERR_AUTHENTICATION_FAILURE
@@ -12,7 +13,7 @@ def _check_main_password(userpw, password):

 def _check_app_specific_password(asps, password):
    for app_pw in asps:
-        if crypt.crypt(password, app_pw) == app_pw:
+        if safe_str_cmp(crypt.crypt(password, app_pw), app_pw):
            return protocol.OK
    return protocol.ERR_AUTHENTICATION_FAILURE