Merge pull request #2229 from luisa-ball/ELY-2814

[ELY-2814] Update UnixSHACryptPasswordImpl to make use of MessageDigest.isEqual to avoid a potential timing attack
wildfly-security · Oct 5, 2024 · 1887489 · 1887489
2 parents 642b43f + 837fb1a
commit 1887489
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/password/impl/src/main/java/org/wildfly/security/password/impl/UnixSHACryptPasswordImpl.java b/password/impl/src/main/java/org/wildfly/security/password/impl/UnixSHACryptPasswordImpl.java
@@ -435,7 +435,7 @@ public boolean equals(final Object obj) {
             return false;
         }
         UnixSHACryptPasswordImpl other = (UnixSHACryptPasswordImpl) obj;
-        return iterationCount == other.iterationCount && algorithm.equals(other.algorithm) && Arrays.equals(hash, other.hash) && Arrays.equals(salt, other.salt);
+        return iterationCount == other.iterationCount && algorithm.equals(other.algorithm) && MessageDigest.isEqual(hash, other.hash) && MessageDigest.isEqual(salt, other.salt);
     }
 
     private void readObject(ObjectInputStream ignored) throws NotSerializableException {