From 6c69333df698e8642ca2768ff27de1a7dcc87b0b Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Sun, 22 Oct 2017 15:39:28 -0500 Subject: [PATCH] Remove PasswordEncoderUtils from core Issue: gh-4674 --- .../encoding/PasswordEncoderUtils.java | 58 --------------- .../encoding/PasswordEncoderUtilsTests.java | 70 ------------------- 2 files changed, 128 deletions(-) delete mode 100644 core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java delete mode 100644 core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java b/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java deleted file mode 100644 index fd1f86192f..0000000000 --- a/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright 2002-2016 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.springframework.security.authentication.encoding; - -import org.springframework.security.crypto.codec.Utf8; - -/** - * Utility for constant time comparison to prevent against timing attacks. - * - * @author Rob Winch - */ -class PasswordEncoderUtils { - - /** - * Constant time comparison to prevent against timing attacks. - * @param expected - * @param actual - * @return - */ - static boolean equals(String expected, String actual) { - byte[] expectedBytes = bytesUtf8(expected); - byte[] actualBytes = bytesUtf8(actual); - int expectedLength = expectedBytes == null ? -1 : expectedBytes.length; - int actualLength = actualBytes == null ? -1 : actualBytes.length; - - int result = expectedLength == actualLength ? 0 : 1; - for (int i = 0; i < actualLength; i++) { - byte expectedByte = expectedLength <= 0 ? 0 : expectedBytes[i % expectedLength]; - byte actualByte = actualBytes[i % actualLength]; - result |= expectedByte ^ actualByte; - } - return result == 0; - } - - private static byte[] bytesUtf8(String s) { - if (s == null) { - return null; - } - - return Utf8.encode(s); // need to check if Utf8.encode() runs in constant time (probably not). This may leak length of string. - } - - private PasswordEncoderUtils() { - } -} diff --git a/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java b/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java deleted file mode 100644 index f8f4487414..0000000000 --- a/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright 2002-2016 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.springframework.security.authentication.encoding; - -import static org.assertj.core.api.Assertions.*; - -import org.junit.Test; - -/** - * @author Rob Winch - */ -public class PasswordEncoderUtilsTests { - - @Test - public void equalsWhenDifferentLengthThenFalse() { - assertThat(PasswordEncoderUtils.equals("abc", "a")).isFalse(); - assertThat(PasswordEncoderUtils.equals("a", "abc")).isFalse(); - } - - @Test - public void equalsWhenNullAndNotEmtpyThenFalse() { - assertThat(PasswordEncoderUtils.equals(null, "a")).isFalse(); - assertThat(PasswordEncoderUtils.equals("a", null)).isFalse(); - } - - @Test - public void equalsWhenNullAndNullThenTrue() { - assertThat(PasswordEncoderUtils.equals(null, null)).isTrue(); - } - - @Test - public void equalsWhenNullAndEmptyThenFalse() { - assertThat(PasswordEncoderUtils.equals(null, "")).isFalse(); - assertThat(PasswordEncoderUtils.equals("", null)).isFalse(); - } - - @Test - public void equalsWhenNotEmptyAndEmptyThenFalse() { - assertThat(PasswordEncoderUtils.equals("abc", "")).isFalse(); - assertThat(PasswordEncoderUtils.equals("", "abc")).isFalse(); - } - - @Test - public void equalsWhenEmtpyAndEmptyThenTrue() { - assertThat(PasswordEncoderUtils.equals("", "")).isTrue(); - } - - @Test - public void equalsWhenDifferentCaseThenFalse() { - assertThat(PasswordEncoderUtils.equals("aBc", "abc")).isFalse(); - } - - @Test - public void equalsWhenSameThenTrue() { - assertThat(PasswordEncoderUtils.equals("abcdef", "abcdef")).isTrue(); - } -}