ELY-2426: Update UnixMD5CryptPassworldImpl to make use of MessageDige…

…st#isEqual to avoid a potential timing attack
wildfly-security · Oct 18, 2022 · 4abb472 · 4abb472
1 parent 06d5219
commit 4abb472
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/password/impl/src/main/java/org/wildfly/security/password/impl/UnixMD5CryptPasswordImpl.java b/password/impl/src/main/java/org/wildfly/security/password/impl/UnixMD5CryptPasswordImpl.java
@@ -122,7 +122,7 @@ boolean verify(final char[] guess) throws InvalidKeyException {
         } catch (NoSuchAlgorithmException e) {
             throw log.invalidKeyCannotVerifyPassword(e);
         }
-        return Arrays.equals(getHash(), test);
+        return MessageDigest.isEqual(getHash(), test);
     }
 
     @Override
@@ -238,7 +238,7 @@ public boolean equals(final Object obj) {
             return false;
         }
         UnixMD5CryptPasswordImpl other = (UnixMD5CryptPasswordImpl) obj;
-        return Arrays.equals(hash, other.hash) && Arrays.equals(salt, other.salt);
+        return MessageDigest.isEqual(hash, other.hash) && Arrays.equals(salt, other.salt);
     }
 
     private void readObject(ObjectInputStream ignored) throws NotSerializableException {