Fixed #36572 -- Revert "Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()."

This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-08-26 13:37:34 +0200
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-08-27 10:50:50 +0200
commit: d0e4dd5cdd743a5c43c4ccc2c8fa29d3982eaa71 (patch)
tree: ed64921a0f27e8df1b5ce69b729d34dfbfc9d815 /django/contrib/auth/hashers.py
parent: c594574175e379fff356e274893d797f6e6a95fa (diff)
1 files changed, 10 insertions, 6 deletions
diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
index 4767ad560b..4bb518cb89 100644
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@@ -2,7 +2,6 @@ import base64
 import binascii
 import functools
 import hashlib
-import hmac
 import importlib
 import math
 import warnings
@@ -13,7 +12,12 @@ from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured
 from django.core.signals import setting_changed
 from django.dispatch import receiver
-from django.utils.crypto import RANDOM_STRING_CHARS, get_random_string, pbkdf2
+from django.utils.crypto import (
+    RANDOM_STRING_CHARS,
+    constant_time_compare,
+    get_random_string,
+    pbkdf2,
+)
 from django.utils.encoding import force_bytes, force_str
 from django.utils.module_loading import import_string
 from django.utils.translation import gettext_noop as _
@@ -345,7 +349,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
     def verify(self, password, encoded):
         decoded = self.decode(encoded)
         encoded_2 = self.encode(password, decoded["salt"], decoded["iterations"])
-        return hmac.compare_digest(encoded, encoded_2)
+        return constant_time_compare(encoded, encoded_2)
 
     def safe_summary(self, encoded):
         decoded = self.decode(encoded)
@@ -529,7 +533,7 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher):
         algorithm, data = encoded.split("$", 1)
         assert algorithm == self.algorithm
         encoded_2 = self.encode(password, data.encode("ascii"))
-        return hmac.compare_digest(encoded, encoded_2)
+        return constant_time_compare(encoded, encoded_2)
 
     def safe_summary(self, encoded):
         decoded = self.decode(encoded)
@@ -624,7 +628,7 @@ class ScryptPasswordHasher(BasePasswordHasher):
             decoded["block_size"],
             decoded["parallelism"],
         )
-        return hmac.compare_digest(encoded, encoded_2)
+        return constant_time_compare(encoded, encoded_2)
 
     def safe_summary(self, encoded):
         decoded = self.decode(encoded)
@@ -677,7 +681,7 @@ class MD5PasswordHasher(BasePasswordHasher):
     def verify(self, password, encoded):
         decoded = self.decode(encoded)
         encoded_2 = self.encode(password, decoded["salt"])
-        return hmac.compare_digest(encoded, encoded_2)
+        return constant_time_compare(encoded, encoded_2)
 
     def safe_summary(self, encoded):
         decoded = self.decode(encoded)
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-08-26 13:37:34 +0200
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-08-27 10:50:50 +0200
commit	d0e4dd5cdd743a5c43c4ccc2c8fa29d3982eaa71 (patch)
tree	ed64921a0f27e8df1b5ce69b729d34dfbfc9d815 /django/contrib/auth/hashers.py
parent	c594574175e379fff356e274893d797f6e6a95fa (diff)