aboutsummaryrefslogtreecommitdiffstats
path: root/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java
diff options
context:
space:
mode:
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java')
-rw-r--r--security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java7
1 files changed, 5 insertions, 2 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java b/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java
index 2ff47081784..b67b120ba7b 100644
--- a/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java
+++ b/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java
@@ -1,6 +1,8 @@
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.security.token;
+import com.yahoo.security.SideChannelSafe;
+
import java.util.Arrays;
import static com.yahoo.security.ArrayUtils.hex;
@@ -18,8 +20,9 @@ public record TokenCheckHash(byte[] hashBytes) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
TokenCheckHash tokenCheckHash = (TokenCheckHash) o;
- // We don't consider token hashes secret data, so no harm in data-dependent equals()
- return Arrays.equals(hashBytes, tokenCheckHash.hashBytes);
+ // Although not considered secret information, avoid leaking the contents of
+ // the check-hashes themselves via timing channels.
+ return SideChannelSafe.arraysEqual(hashBytes, tokenCheckHash.hashBytes);
}
@Override