Use constant time comparison
Release-Notes: Use constant-time comparison for hashed password validation, for increased security
Bug: b/348963674
Change-Id: Idc9f5580999acdc015bdf233ed50bffbadd991cf
diff --git a/java/com/google/gerrit/server/account/HashedPassword.java b/java/com/google/gerrit/server/account/HashedPassword.java
index 09115503..7a7c35b 100644
--- a/java/com/google/gerrit/server/account/HashedPassword.java
+++ b/java/com/google/gerrit/server/account/HashedPassword.java
@@ -136,6 +136,6 @@
public boolean checkPassword(String password) {
// Constant-time comparison, because we're paranoid.
- return Arrays.areEqual(hashPassword(password, salt, cost, nullTerminate), hashed);
+ return Arrays.constantTimeAreEqual(hashPassword(password, salt, cost, nullTerminate), hashed);
}
}
