Skip to content
Snippets Groups Projects
Commit a2ca869a authored by Julian's avatar Julian
Browse files

Verify 2FA recovery codes and TOTP codes in constant-time

parent d73c319f
Branches v1.0.x
Tags v1.0.2
No related merge requests found
......@@ -61,7 +61,7 @@ class RecoveryCodeMethod(MFAMethod):
def verify(self, code):
code = code.replace(' ', '').lower()
return crypt.crypt(code, self.code_hash) == self.code_hash
return secrets.compare_digest(crypt.crypt(code, self.code_hash), self.code_hash)
def _hotp(counter, key, digits=6):
'''Generates HMAC-based one-time password according to RFC4226
......@@ -122,8 +122,9 @@ class TOTPMethod(MFAMethod):
:returns: True if code is valid, False otherwise'''
counter = int(time.time()/30)
if _hotp(counter-1, self.raw_key) == code or _hotp(counter, self.raw_key) == code:
return True
for valid_code in [_hotp(counter-1, self.raw_key), _hotp(counter, self.raw_key)]:
if secrets.compare_digest(code, valid_code):
return True
return False
class WebauthnMethod(MFAMethod):
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment