github/plexpy
1
0
Fork 0
mirror of https://github.com/Tautulli/Tautulli.git synced 2025-08-13 18:16:57 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Use hmac compare_digest to check password

Browse source
This commit is contained in:
JonnyWong16 2021-07-22 17:47:27 -07:00
commit 3c1417108d
No known key found for this signature in database
GPG key ID: B1F1F9807184697A
1 changed files with 2 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

8
lib/hashing_passwords.py
View file

@ -20,6 +20,7 @@ import hashlib
from os import urandom from os import urandom
from base64 import b64encode, b64decode from base64 import b64encode, b64decode
from hashlib import pbkdf2_hmac from hashlib import pbkdf2_hmac
from hmac import compare_digest
# Parameters to PBKDF2. Only affect new passwords. # Parameters to PBKDF2. Only affect new passwords.
@ -53,9 +54,4 @@ def check_hash(password, hash_):
hash_a = b64decode(hash_a.encode('utf-8')) hash_a = b64decode(hash_a.encode('utf-8'))
hash_b = pbkdf2_hmac(hash_function, password, salt.encode('utf-8'), int(cost_factor), len(hash_a)) hash_b = pbkdf2_hmac(hash_function, password, salt.encode('utf-8'), int(cost_factor), len(hash_a))
assert len(hash_a) == len(hash_b) # we requested this from pbkdf2_bin() assert len(hash_a) == len(hash_b) # we requested this from pbkdf2_bin()
# Same as "return hash_a == hash_b" but takes a constant time. return compare_digest(hash_a, hash_b)
# See http://carlos.bueno.org/2011/10/timing.html
diff = 0
for char_a, char_b in zip(bytearray(hash_a), bytearray(hash_b)):
diff |= char_a ^ char_b
return diff == 0