SCRAM doesn't need constant_time_compare, nonces prevent replay (scram.py)

2019-02-12 23:47:24 +00:00 · 2019-02-12 23:47:24 +00:00 · ac958384fe
commit ac958384fe
parent 62d2449958
1 changed files with 1 additions and 2 deletions
--- a/modules/sasl/scram.py
+++ b/modules/sasl/scram.py
@ -1,5 +1,4 @@
 import base64, enum, hashlib, hmac, os, typing
-from src import utils

 # IANA Hash Function Textual Names
 # https://tools.ietf.org/html/rfc5802#section-4
@ -102,7 +101,7 @@ class SCRAM(object):
        server_key = self._hmac(self._salted_password, b"Server Key")
        server_signature = self._hmac(server_key, self._auth_message)

-        if utils.security.constant_time_compare(server_signature, verifier):
+        if server_signature == verifier:
            self.state = SCRAMState.Success
            return True
        else: