Rob Winch
parent
3a4a32e654
commit
6c69333df6
|
|
@ -1,58 +0,0 @@
|
|||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.authentication.encoding;
|
||||
|
||||
import org.springframework.security.crypto.codec.Utf8;
|
||||
|
||||
/**
|
||||
* Utility for constant time comparison to prevent against timing attacks.
|
||||
*
|
||||
* @author Rob Winch
|
||||
*/
|
||||
class PasswordEncoderUtils {
|
||||
|
||||
/**
|
||||
* Constant time comparison to prevent against timing attacks.
|
||||
* @param expected
|
||||
* @param actual
|
||||
* @return
|
||||
*/
|
||||
static boolean equals(String expected, String actual) {
|
||||
byte[] expectedBytes = bytesUtf8(expected);
|
||||
byte[] actualBytes = bytesUtf8(actual);
|
||||
int expectedLength = expectedBytes == null ? -1 : expectedBytes.length;
|
||||
int actualLength = actualBytes == null ? -1 : actualBytes.length;
|
||||
|
||||
int result = expectedLength == actualLength ? 0 : 1;
|
||||
for (int i = 0; i < actualLength; i++) {
|
||||
byte expectedByte = expectedLength <= 0 ? 0 : expectedBytes[i % expectedLength];
|
||||
byte actualByte = actualBytes[i % actualLength];
|
||||
result |= expectedByte ^ actualByte;
|
||||
}
|
||||
return result == 0;
|
||||
}
|
||||
|
||||
private static byte[] bytesUtf8(String s) {
|
||||
if (s == null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return Utf8.encode(s); // need to check if Utf8.encode() runs in constant time (probably not). This may leak length of string.
|
||||
}
|
||||
|
||||
private PasswordEncoderUtils() {
|
||||
}
|
||||
}
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.authentication.encoding;
|
||||
|
||||
import static org.assertj.core.api.Assertions.*;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*/
|
||||
public class PasswordEncoderUtilsTests {
|
||||
|
||||
@Test
|
||||
public void equalsWhenDifferentLengthThenFalse() {
|
||||
assertThat(PasswordEncoderUtils.equals("abc", "a")).isFalse();
|
||||
assertThat(PasswordEncoderUtils.equals("a", "abc")).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void equalsWhenNullAndNotEmtpyThenFalse() {
|
||||
assertThat(PasswordEncoderUtils.equals(null, "a")).isFalse();
|
||||
assertThat(PasswordEncoderUtils.equals("a", null)).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void equalsWhenNullAndNullThenTrue() {
|
||||
assertThat(PasswordEncoderUtils.equals(null, null)).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void equalsWhenNullAndEmptyThenFalse() {
|
||||
assertThat(PasswordEncoderUtils.equals(null, "")).isFalse();
|
||||
assertThat(PasswordEncoderUtils.equals("", null)).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void equalsWhenNotEmptyAndEmptyThenFalse() {
|
||||
assertThat(PasswordEncoderUtils.equals("abc", "")).isFalse();
|
||||
assertThat(PasswordEncoderUtils.equals("", "abc")).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void equalsWhenEmtpyAndEmptyThenTrue() {
|
||||
assertThat(PasswordEncoderUtils.equals("", "")).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void equalsWhenDifferentCaseThenFalse() {
|
||||
assertThat(PasswordEncoderUtils.equals("aBc", "abc")).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void equalsWhenSameThenTrue() {
|
||||
assertThat(PasswordEncoderUtils.equals("abcdef", "abcdef")).isTrue();
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue