[ELY-2814] Update UnixSHACryptPasswordImpl to make use of MessageDige…

…st#isEqual to avoid a potential timing attack https://issues.redhat.com/browse/ELY-2814
wildfly-security · Oct 4, 2024 · 837fb1a · 837fb1a
1 parent bb6f7eb
commit 837fb1a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/password/impl/src/main/java/org/wildfly/security/password/impl/UnixSHACryptPasswordImpl.java b/password/impl/src/main/java/org/wildfly/security/password/impl/UnixSHACryptPasswordImpl.java
@@ -435,7 +435,7 @@ public boolean equals(final Object obj) {
             return false;
         }
         UnixSHACryptPasswordImpl other = (UnixSHACryptPasswordImpl) obj;
-        return iterationCount == other.iterationCount && algorithm.equals(other.algorithm) && Arrays.equals(hash, other.hash) && Arrays.equals(salt, other.salt);
+        return iterationCount == other.iterationCount && algorithm.equals(other.algorithm) && MessageDigest.isEqual(hash, other.hash) && MessageDigest.isEqual(salt, other.salt);
     }
 
     private void readObject(ObjectInputStream ignored) throws NotSerializableException {