parent
3a4a32e654
commit
6c69333df6
|
@ -1,58 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright 2002-2016 the original author or authors.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
package org.springframework.security.authentication.encoding;
|
|
||||||
|
|
||||||
import org.springframework.security.crypto.codec.Utf8;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Utility for constant time comparison to prevent against timing attacks.
|
|
||||||
*
|
|
||||||
* @author Rob Winch
|
|
||||||
*/
|
|
||||||
class PasswordEncoderUtils {
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Constant time comparison to prevent against timing attacks.
|
|
||||||
* @param expected
|
|
||||||
* @param actual
|
|
||||||
* @return
|
|
||||||
*/
|
|
||||||
static boolean equals(String expected, String actual) {
|
|
||||||
byte[] expectedBytes = bytesUtf8(expected);
|
|
||||||
byte[] actualBytes = bytesUtf8(actual);
|
|
||||||
int expectedLength = expectedBytes == null ? -1 : expectedBytes.length;
|
|
||||||
int actualLength = actualBytes == null ? -1 : actualBytes.length;
|
|
||||||
|
|
||||||
int result = expectedLength == actualLength ? 0 : 1;
|
|
||||||
for (int i = 0; i < actualLength; i++) {
|
|
||||||
byte expectedByte = expectedLength <= 0 ? 0 : expectedBytes[i % expectedLength];
|
|
||||||
byte actualByte = actualBytes[i % actualLength];
|
|
||||||
result |= expectedByte ^ actualByte;
|
|
||||||
}
|
|
||||||
return result == 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
private static byte[] bytesUtf8(String s) {
|
|
||||||
if (s == null) {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
|
|
||||||
return Utf8.encode(s); // need to check if Utf8.encode() runs in constant time (probably not). This may leak length of string.
|
|
||||||
}
|
|
||||||
|
|
||||||
private PasswordEncoderUtils() {
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,70 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright 2002-2016 the original author or authors.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
package org.springframework.security.authentication.encoding;
|
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.*;
|
|
||||||
|
|
||||||
import org.junit.Test;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @author Rob Winch
|
|
||||||
*/
|
|
||||||
public class PasswordEncoderUtilsTests {
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void equalsWhenDifferentLengthThenFalse() {
|
|
||||||
assertThat(PasswordEncoderUtils.equals("abc", "a")).isFalse();
|
|
||||||
assertThat(PasswordEncoderUtils.equals("a", "abc")).isFalse();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void equalsWhenNullAndNotEmtpyThenFalse() {
|
|
||||||
assertThat(PasswordEncoderUtils.equals(null, "a")).isFalse();
|
|
||||||
assertThat(PasswordEncoderUtils.equals("a", null)).isFalse();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void equalsWhenNullAndNullThenTrue() {
|
|
||||||
assertThat(PasswordEncoderUtils.equals(null, null)).isTrue();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void equalsWhenNullAndEmptyThenFalse() {
|
|
||||||
assertThat(PasswordEncoderUtils.equals(null, "")).isFalse();
|
|
||||||
assertThat(PasswordEncoderUtils.equals("", null)).isFalse();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void equalsWhenNotEmptyAndEmptyThenFalse() {
|
|
||||||
assertThat(PasswordEncoderUtils.equals("abc", "")).isFalse();
|
|
||||||
assertThat(PasswordEncoderUtils.equals("", "abc")).isFalse();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void equalsWhenEmtpyAndEmptyThenTrue() {
|
|
||||||
assertThat(PasswordEncoderUtils.equals("", "")).isTrue();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void equalsWhenDifferentCaseThenFalse() {
|
|
||||||
assertThat(PasswordEncoderUtils.equals("aBc", "abc")).isFalse();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void equalsWhenSameThenTrue() {
|
|
||||||
assertThat(PasswordEncoderUtils.equals("abcdef", "abcdef")).isTrue();
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in New Issue