SCRAM doesn't need constant_time_compare, nonces prevent replay (scram.py)

This commit is contained in:
jesopo 2019-02-12 23:47:24 +00:00
parent 62d2449958
commit ac958384fe

View file

@ -1,5 +1,4 @@
import base64, enum, hashlib, hmac, os, typing import base64, enum, hashlib, hmac, os, typing
from src import utils
# IANA Hash Function Textual Names # IANA Hash Function Textual Names
# https://tools.ietf.org/html/rfc5802#section-4 # https://tools.ietf.org/html/rfc5802#section-4
@ -102,7 +101,7 @@ class SCRAM(object):
server_key = self._hmac(self._salted_password, b"Server Key") server_key = self._hmac(self._salted_password, b"Server Key")
server_signature = self._hmac(server_key, self._auth_message) server_signature = self._hmac(server_key, self._auth_message)
if utils.security.constant_time_compare(server_signature, verifier): if server_signature == verifier:
self.state = SCRAMState.Success self.state = SCRAMState.Success
return True return True
else: else: