From 5066e97c66cb0fc11a94646b719a660c0b8909d8 Mon Sep 17 00:00:00 2001 From: Guillaume Ayoub Date: Tue, 23 May 2017 16:55:43 +0200 Subject: [PATCH] Always compare both login and password to avoid timing attacks Related to #591. --- radicale/auth.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/radicale/auth.py b/radicale/auth.py index 0d5a925..210225b 100644 --- a/radicale/auth.py +++ b/radicale/auth.py @@ -194,6 +194,10 @@ class Auth(BaseAuth): line = line.strip() if line: login, hash_value = line.split(":") - if login == user and self.verify(hash_value, password): + # Always compare both login and password to avoid timing + # attacks, see #591. + login_ok = hmac.compare_digest(login, user) + password_ok = self.verify(hash_value, password) + if login_ok + password_ok == 2: return True return False