From c8c7ba154a2445f3d62fdaac659121a3896868ea Mon Sep 17 00:00:00 2001
From: StNicolay <stnicolay2007@mail.ru>
Date: Tue, 6 Jun 2023 20:04:39 +0300
Subject: [PATCH] Now checking the hashes in constant time

---
 Cargo.lock                      | 1 +
 cryptography/Cargo.toml         | 1 +
 cryptography/src/master_pass.rs | 3 ++-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/Cargo.lock b/Cargo.lock
index 55a167d..300caa5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -473,6 +473,7 @@ dependencies = [
  "scrypt",
  "sea-orm",
  "sha2",
+ "subtle",
  "thiserror",
 ]
 
diff --git a/cryptography/Cargo.toml b/cryptography/Cargo.toml
index a02ea15..b4f714d 100644
--- a/cryptography/Cargo.toml
+++ b/cryptography/Cargo.toml
@@ -16,3 +16,4 @@ rand = { version = "0.8.5", default-features = false, features = ["std_rng"] }
 sea-orm = "0.11.3"
 bitflags = "2.3.1"
 arrayvec = "0.7.2"
+subtle = "2.5.0"
diff --git a/cryptography/src/master_pass.rs b/cryptography/src/master_pass.rs
index 6943b3c..01afcf5 100644
--- a/cryptography/src/master_pass.rs
+++ b/cryptography/src/master_pass.rs
@@ -2,6 +2,7 @@ use entity::master_pass;
 use rand::{rngs::OsRng, RngCore};
 use scrypt::{scrypt, Params};
 use sea_orm::ActiveValue::Set;
+use subtle::ConstantTimeEq;
 
 /// Hashes the password with Scrypt with the given salt
 #[inline]
@@ -21,7 +22,7 @@ impl VerifyMasterPassExt for master_pass::Model {
     #[inline]
     fn verify(&self, password: &str) -> bool {
         let hashed = hash_password(password.as_bytes(), &self.salt);
-        hashed == self.password_hash.as_slice()
+        hashed.ct_eq(&self.password_hash).into()
     }
 }