Commits

Russell Hay committed 1a61a11

Hardening against timing attacks. Password comparisons are now constant time.

Comments (0)

Files changed (2)

 *.pyc
 dist
 docs/_build
+.idea/
 
         actual = self._generate_hash(salt, value)
 
-        if throw and actual != expected:
+        comparison = [ord(a) ^ ord(b) for a,b in zip(actual,expected)]
+        valid_password = sum(comparison) == 0
+
+        if throw and not valid_password:
             raise InvalidPasswordError()
 
-        return actual == expected
+        return valid_password
 
     def _generate_hash(self, salt, value):
         hash_string = "{salt};{value}".format(salt=salt, value=value)