diff options
author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2023-07-19 15:38:20 +0200 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@yahooinc.com> | 2023-07-19 15:38:20 +0200 |
commit | 3144d978886984f57344e1580326749b25614cb6 (patch) | |
tree | 8e01c29549997c55ad050f129d2dfb027b20c9e4 /security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java | |
parent | 9819e2c447f2ff54dc458bf33b8d0ea84d1017d6 (diff) |
Defer side channel-safe array checks to existing BC utils
Use constant-time array compare for TokenCheckHash equality checks.
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java b/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java index 2ff47081784..b67b120ba7b 100644 --- a/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java +++ b/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java @@ -1,6 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security.token; +import com.yahoo.security.SideChannelSafe; + import java.util.Arrays; import static com.yahoo.security.ArrayUtils.hex; @@ -18,8 +20,9 @@ public record TokenCheckHash(byte[] hashBytes) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; TokenCheckHash tokenCheckHash = (TokenCheckHash) o; - // We don't consider token hashes secret data, so no harm in data-dependent equals() - return Arrays.equals(hashBytes, tokenCheckHash.hashBytes); + // Although not considered secret information, avoid leaking the contents of + // the check-hashes themselves via timing channels. + return SideChannelSafe.arraysEqual(hashBytes, tokenCheckHash.hashBytes); } @Override |