Merge pull request #1 from tilgovi/passwordtiming

Prevent timing attacks on passwords
Pylons · May 7, 2014 · fd56ccb · fd56ccb
2 parents a730a72 + 29c81d1
commit fd56ccb
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/horus/flows/local/services.py b/horus/flows/local/services.py
@@ -4,6 +4,24 @@
 )
 
 
+try:
+    from hmac import compare_digest as is_equal
+except ImportError:
+    def is_equal(lhs, rhs):
+        """Returns True if the two strings are equal, False otherwise.
+
+        The comparison is based on a common implementation found in Django.
+        This version avoids a short-circuit even for unequal lengths to reveal
+        as little as possible. It takes time proportional to the length of its
+        second argument.
+        """
+        result = 0 if len(lhs) == len(rhs) else 1
+        lhs = lhs.ljust(len(rhs))
+        for x, y in zip(lhs, rhs):
+            result |= ord(x) ^ ord(y)
+        return result == 0
+
+
 class AuthenticationService(object):
     def __init__(self, backend):
         self.backend = backend
@@ -22,7 +40,7 @@ def login(self, login, password):
 
         if (
             user is None or
-            user.password != password
+            is_equal(user.password, password) is False
         ):
             raise AuthenticationException()