Now checking the hashes in constant time

Cargo.lock

@@ -473,6 +473,7 @@ dependencies = [
  "scrypt",
  "sea-orm",
  "sha2",
+ "subtle",
  "thiserror",
 ]
 

cryptography/Cargo.toml

@@ -16,3 +16,4 @@ rand = { version = "0.8.5", default-features = false, features = ["std_rng"] }
 sea-orm = "0.11.3"
 bitflags = "2.3.1"
 arrayvec = "0.7.2"
+subtle = "2.5.0"

cryptography/src/master_pass.rs

@@ -2,6 +2,7 @@ use entity::master_pass;
 use rand::{rngs::OsRng, RngCore};
 use scrypt::{scrypt, Params};
 use sea_orm::ActiveValue::Set;
+use subtle::ConstantTimeEq;
 
 /// Hashes the password with Scrypt with the given salt
 #[inline]
@@ -21,7 +22,7 @@ impl VerifyMasterPassExt for master_pass::Model {
     #[inline]
     fn verify(&self, password: &str) -> bool {
         let hashed = hash_password(password.as_bytes(), &self.salt);
-        hashed == self.password_hash.as_slice()
+        hashed.ct_eq(&self.password_hash).into()
     }
 }