From 3c1417108d92e207e0d6b3d7cb6d046f201e3463 Mon Sep 17 00:00:00 2001
From: JonnyWong16 <9099342+JonnyWong16@users.noreply.github.com>
Date: Thu, 22 Jul 2021 17:47:27 -0700
Subject: [PATCH] Use hmac compare_digest to check password

---
 lib/hashing_passwords.py | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/lib/hashing_passwords.py b/lib/hashing_passwords.py
index 93ae5e12..4540db75 100644
--- a/lib/hashing_passwords.py
+++ b/lib/hashing_passwords.py
@@ -20,6 +20,7 @@ import hashlib
 from os import urandom
 from base64 import b64encode, b64decode
 from hashlib import pbkdf2_hmac
+from hmac import compare_digest
 
 
 # Parameters to PBKDF2. Only affect new passwords.
@@ -53,9 +54,4 @@ def check_hash(password, hash_):
     hash_a = b64decode(hash_a.encode('utf-8'))
     hash_b = pbkdf2_hmac(hash_function, password, salt.encode('utf-8'), int(cost_factor), len(hash_a))
     assert len(hash_a) == len(hash_b)  # we requested this from pbkdf2_bin()
-    # Same as "return hash_a == hash_b" but takes a constant time.
-    # See http://carlos.bueno.org/2011/10/timing.html
-    diff = 0
-    for char_a, char_b in zip(bytearray(hash_a), bytearray(hash_b)):
-        diff |= char_a ^ char_b
-    return diff == 0
+    return compare_digest(hash_a, hash_b)