Use constant time comparison Release-Notes: Use constant-time comparison for hashed password validation, for increased security Bug: b/348963674 Change-Id: Idc9f5580999acdc015bdf233ed50bffbadd991cf (cherry picked from commit ecae8657d6dc43032154789f68e2f2e8697543f2)

commit: fd88f0e87e58622a59c2293a31ab7376b07e23fb [log] [tgz]
author: Patrick Hiesel <hiesel@google.com> Mon Jun 24 10:54:28 2024 +0200
committer: Luca Milanesio <luca.milanesio@gmail.com> Mon Jun 24 10:21:38 2024 +0000
tree: 2f3957df02c0094c2ba9587bf4acfe519e1de23c
parent: 110b1636796b8a446acc43cd6c6fe46720af709d [diff]
diff --git a/java/com/google/gerrit/server/account/HashedPassword.java b/java/com/google/gerrit/server/account/HashedPassword.java
index 0911550..7a7c35b 100644
--- a/java/com/google/gerrit/server/account/HashedPassword.java
+++ b/java/com/google/gerrit/server/account/HashedPassword.java

@@ -136,6 +136,6 @@
 
   public boolean checkPassword(String password) {
     // Constant-time comparison, because we're paranoid.
-    return Arrays.areEqual(hashPassword(password, salt, cost, nullTerminate), hashed);
+    return Arrays.constantTimeAreEqual(hashPassword(password, salt, cost, nullTerminate), hashed);
   }
 }
commit	fd88f0e87e58622a59c2293a31ab7376b07e23fb	[log] [tgz]
author	Patrick Hiesel <hiesel@google.com>	Mon Jun 24 10:54:28 2024 +0200
committer	Luca Milanesio <luca.milanesio@gmail.com>	Mon Jun 24 10:21:38 2024 +0000
tree	2f3957df02c0094c2ba9587bf4acfe519e1de23c
parent	110b1636796b8a446acc43cd6c6fe46720af709d [diff]