Remove constant_time_compare util

davegaeddert · davegaeddert · commit 55f3f5596d3e · 2025-09-15T14:49:46.000-05:00
diff --git a/plain-auth/plain/auth/sessions.py b/plain-auth/plain/auth/sessions.py
@@ -1,7 +1,10 @@
+import hmac
+
 from plain.exceptions import ImproperlyConfigured
 from plain.models import models_registry
 from plain.runtime import settings
-from plain.utils.crypto import constant_time_compare, salted_hmac
+from plain.utils.crypto import salted_hmac
+from plain.utils.encoding import force_bytes
 
 USER_ID_SESSION_KEY = "_auth_user_id"
 USER_HASH_SESSION_KEY = "_auth_user_hash"
@@ -60,8 +63,9 @@ def login(request, user):
             # session if the existing session corresponds to a different
             # authenticated user.
             request.session.flush()
-        elif session_auth_hash and not constant_time_compare(
-            request.session.get(USER_HASH_SESSION_KEY, ""), session_auth_hash
+        elif session_auth_hash and not hmac.compare_digest(
+            force_bytes(request.session.get(USER_HASH_SESSION_KEY, "")),
+            force_bytes(session_auth_hash),
         ):
             # If the session hash does not match the current hash, reset the
             # session. Most likely this means the password was changed.
@@ -131,15 +135,17 @@ def get_user(request):
             session_hash_verified = False
         else:
             session_auth_hash = get_session_auth_hash(user)
-            session_hash_verified = constant_time_compare(
-                session_hash, session_auth_hash
+            session_hash_verified = hmac.compare_digest(
+                force_bytes(session_hash), force_bytes(session_auth_hash)
             )
         if not session_hash_verified:
             # If the current secret does not verify the session, try
             # with the fallback secrets and stop when a matching one is
             # found.
             if session_hash and any(
-                constant_time_compare(session_hash, fallback_auth_hash)
+                hmac.compare_digest(
+                    force_bytes(session_hash), force_bytes(fallback_auth_hash)
+                )
                 for fallback_auth_hash in get_session_auth_fallback_hash(user)
             ):
                 request.session.cycle_key()
diff --git a/plain-passwords/plain/passwords/hashers.py b/plain-passwords/plain/passwords/hashers.py
@@ -2,6 +2,7 @@
 import binascii
 import functools
 import hashlib
+import hmac
 import importlib
 import math
 import warnings
@@ -10,10 +11,10 @@
 from plain.runtime import settings
 from plain.utils.crypto import (
     RANDOM_STRING_CHARS,
-    constant_time_compare,
     get_random_string,
     pbkdf2,
 )
+from plain.utils.encoding import force_bytes
 from plain.utils.module_loading import import_string
 
 
@@ -289,7 +290,7 @@ def decode(self, encoded):
     def verify(self, password, encoded):
         decoded = self.decode(encoded)
         encoded_2 = self.encode(password, decoded["salt"], decoded["iterations"])
-        return constant_time_compare(encoded, encoded_2)
+        return hmac.compare_digest(force_bytes(encoded), force_bytes(encoded_2))
 
     def safe_summary(self, encoded):
         decoded = self.decode(encoded)
@@ -472,7 +473,7 @@ def verify(self, password, encoded):
         algorithm, data = encoded.split("$", 1)
         assert algorithm == self.algorithm
         encoded_2 = self.encode(password, data.encode("ascii"))
-        return constant_time_compare(encoded, encoded_2)
+        return hmac.compare_digest(force_bytes(encoded), force_bytes(encoded_2))
 
     def safe_summary(self, encoded):
         decoded = self.decode(encoded)
@@ -567,7 +568,7 @@ def verify(self, password, encoded):
             decoded["block_size"],
             decoded["parallelism"],
         )
-        return constant_time_compare(encoded, encoded_2)
+        return hmac.compare_digest(force_bytes(encoded), force_bytes(encoded_2))
 
     def safe_summary(self, encoded):
         decoded = self.decode(encoded)
diff --git a/plain-passwords/plain/passwords/views.py b/plain-passwords/plain/passwords/views.py
@@ -1,3 +1,4 @@
+import hmac
 from datetime import datetime
 
 from plain import signing
@@ -10,7 +11,7 @@
 )
 from plain.urls import reverse
 from plain.utils.cache import add_never_cache_headers
-from plain.utils.crypto import constant_time_compare
+from plain.utils.encoding import force_bytes
 from plain.views import CreateView, FormView
 
 from .forms import (
@@ -73,11 +74,13 @@ def check_password_reset_token(self, token):
 
         # If the password has changed since the token was generated, the token is invalid.
         # (These are the hashed passwords, not the raw passwords.)
-        if not constant_time_compare(user.password, data["password"]):
+        if not hmac.compare_digest(
+            force_bytes(user.password), force_bytes(data["password"])
+        ):
             return
 
         # If the email has changed since the token was generated, the token is invalid.
-        if not constant_time_compare(user.email, data["email"]):
+        if not hmac.compare_digest(force_bytes(user.email), force_bytes(data["email"])):
             return
 
         return user
diff --git a/plain/plain/signing.py b/plain/plain/signing.py
@@ -35,12 +35,14 @@
 
 import base64
 import datetime
+import hmac
 import json
 import time
 import zlib
 
 from plain.runtime import settings
-from plain.utils.crypto import constant_time_compare, salted_hmac
+from plain.utils.crypto import salted_hmac
+from plain.utils.encoding import force_bytes
 from plain.utils.regex_helper import _lazy_re_compile
 
 _SEP_UNSAFE = _lazy_re_compile(r"^[A-z0-9-_=]*$")
@@ -196,7 +198,9 @@ def unsign(self, signed_value):
             raise BadSignature(f'No "{self.sep}" found in value')
         value, sig = signed_value.rsplit(self.sep, 1)
         for key in [self.key, *self.fallback_keys]:
-            if constant_time_compare(sig, self.signature(value, key)):
+            if hmac.compare_digest(
+                force_bytes(sig), force_bytes(self.signature(value, key))
+            ):
                 return value
         raise BadSignature(f'Signature "{sig}" does not match')
 
diff --git a/plain/plain/utils/crypto.py b/plain/plain/utils/crypto.py
@@ -62,11 +62,6 @@ def get_random_string(length, allowed_chars=RANDOM_STRING_CHARS):
     return "".join(secrets.choice(allowed_chars) for i in range(length))
 
 
-def constant_time_compare(val1, val2):
-    """Return True if the two strings are equal, False otherwise."""
-    return secrets.compare_digest(force_bytes(val1), force_bytes(val2))
-
-
 def pbkdf2(password, salt, iterations, dklen=0, digest=None):
     """Return the hash of password using pbkdf2."""
     if digest is None:
