8 лет назад · 6c69333df6
--- a/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
@@ -1,58 +0,0 @@
 
				-/*
			
 
				- * Copyright 2002-2016 the original author or authors.
			
 
				- *
			
 
				- * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				- * you may not use this file except in compliance with the License.
			
 
				- * You may obtain a copy of the License at
			
 
				- *
			
 
				- *      http://www.apache.org/licenses/LICENSE-2.0
			
 
				- *
			
 
				- * Unless required by applicable law or agreed to in writing, software
			
 
				- * distributed under the License is distributed on an "AS IS" BASIS,
			
 
				- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			
 
				- * See the License for the specific language governing permissions and
			
 
				- * limitations under the License.
			
 
				- */
			
 
				-package org.springframework.security.authentication.encoding;
			
 
				-
			
 
				-import org.springframework.security.crypto.codec.Utf8;
			
 
				-
			
 
				-/**
			
 
				- * Utility for constant time comparison to prevent against timing attacks.
			
 
				- *
			
 
				- * @author Rob Winch
			
 
				- */
			
 
				-class PasswordEncoderUtils {
			
 
				-
			
 
				-	/**
			
 
				-	 * Constant time comparison to prevent against timing attacks.
			
 
				-	 * @param expected
			
 
				-	 * @param actual
			
 
				-	 * @return
			
 
				-	 */
			
 
				-	static boolean equals(String expected, String actual) {
			
 
				-		byte[] expectedBytes = bytesUtf8(expected);
			
 
				-		byte[] actualBytes = bytesUtf8(actual);
			
 
				-		int expectedLength = expectedBytes == null ? -1 : expectedBytes.length;
			
 
				-		int actualLength = actualBytes == null ? -1 : actualBytes.length;
			
 
				-
			
 
				-		int result = expectedLength == actualLength ? 0 : 1;
			
 
				-		for (int i = 0; i < actualLength; i++) {
			
 
				-			byte expectedByte = expectedLength <= 0 ? 0 : expectedBytes[i % expectedLength];
			
 
				-			byte actualByte = actualBytes[i % actualLength];
			
 
				-			result |= expectedByte ^ actualByte;
			
 
				-		}
			
 
				-		return result == 0;
			
 
				-	}
			
 
				-
			
 
				-	private static byte[] bytesUtf8(String s) {
			
 
				-		if (s == null) {
			
 
				-			return null;
			
 
				-		}
			
 
				-
			
 
				-		return Utf8.encode(s); // need to check if Utf8.encode() runs in constant time (probably not). This may leak length of string.
			
 
				-	}
			
 
				-
			
 
				-	private PasswordEncoderUtils() {
			
 
				-	}
			
 
				-}
			
--- a/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java
@@ -1,70 +0,0 @@
 
				-/*
			
 
				- * Copyright 2002-2016 the original author or authors.
			
 
				- *
			
 
				- * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				- * you may not use this file except in compliance with the License.
			
 
				- * You may obtain a copy of the License at
			
 
				- *
			
 
				- *      http://www.apache.org/licenses/LICENSE-2.0
			
 
				- *
			
 
				- * Unless required by applicable law or agreed to in writing, software
			
 
				- * distributed under the License is distributed on an "AS IS" BASIS,
			
 
				- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			
 
				- * See the License for the specific language governing permissions and
			
 
				- * limitations under the License.
			
 
				- */
			
 
				-package org.springframework.security.authentication.encoding;
			
 
				-
			
 
				-import static org.assertj.core.api.Assertions.*;
			
 
				-
			
 
				-import org.junit.Test;
			
 
				-
			
 
				-/**
			
 
				- * @author Rob Winch
			
 
				- */
			
 
				-public class PasswordEncoderUtilsTests {
			
 
				-
			
 
				-	@Test
			
 
				-	public void equalsWhenDifferentLengthThenFalse() {
			
 
				-		assertThat(PasswordEncoderUtils.equals("abc", "a")).isFalse();
			
 
				-		assertThat(PasswordEncoderUtils.equals("a", "abc")).isFalse();
			
 
				-	}
			
 
				-
			
 
				-	@Test
			
 
				-	public void equalsWhenNullAndNotEmtpyThenFalse() {
			
 
				-		assertThat(PasswordEncoderUtils.equals(null, "a")).isFalse();
			
 
				-		assertThat(PasswordEncoderUtils.equals("a", null)).isFalse();
			
 
				-	}
			
 
				-
			
 
				-	@Test
			
 
				-	public void equalsWhenNullAndNullThenTrue() {
			
 
				-		assertThat(PasswordEncoderUtils.equals(null, null)).isTrue();
			
 
				-	}
			
 
				-
			
 
				-	@Test
			
 
				-	public void equalsWhenNullAndEmptyThenFalse() {
			
 
				-		assertThat(PasswordEncoderUtils.equals(null, "")).isFalse();
			
 
				-		assertThat(PasswordEncoderUtils.equals("", null)).isFalse();
			
 
				-	}
			
 
				-
			
 
				-	@Test
			
 
				-	public void equalsWhenNotEmptyAndEmptyThenFalse() {
			
 
				-		assertThat(PasswordEncoderUtils.equals("abc", "")).isFalse();
			
 
				-		assertThat(PasswordEncoderUtils.equals("", "abc")).isFalse();
			
 
				-	}
			
 
				-
			
 
				-	@Test
			
 
				-	public void equalsWhenEmtpyAndEmptyThenTrue() {
			
 
				-		assertThat(PasswordEncoderUtils.equals("", "")).isTrue();
			
 
				-	}
			
 
				-
			
 
				-	@Test
			
 
				-	public void equalsWhenDifferentCaseThenFalse() {
			
 
				-		assertThat(PasswordEncoderUtils.equals("aBc", "abc")).isFalse();
			
 
				-	}
			
 
				-
			
 
				-	@Test
			
 
				-	public void equalsWhenSameThenTrue() {
			
 
				-		assertThat(PasswordEncoderUtils.equals("abcdef", "abcdef")).isTrue();
			
 
				-	}
			
 
				-}