commit 66eed8b590b3b797d0800cdfbc4522383c235c88
author Colm O hEigeartaigh <coheigea@apache.org> Wed Nov 20 10:32:19 2019 +0000
committer Colm O hEigeartaigh <coheigea@apache.org> Wed Nov 20 10:32:19 2019 +0000
tree fb486e77929bf0c2d14088a6c1cb674cded2c3bf
parent 4c2027adafff48f09937d06da643ee0cc4551b20

SHIRO-458 - Refining merge + fixing another location

core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java

diff --git a/core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java b/core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java
index 26000e6..c2ec183 100644
--- a/core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java
+++ b/core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java
@@ -18,6 +18,8 @@
  */
 package org.apache.shiro.authc.credential;
 
+import java.security.MessageDigest;
+
 import org.apache.shiro.crypto.hash.DefaultHashService;
 import org.apache.shiro.crypto.hash.Hash;
 import org.apache.shiro.crypto.hash.HashRequest;
@@ -99,21 +101,10 @@
 
     private boolean constantEquals(String savedHash, String computedHash) {
 
-        int result = 0;
-        boolean equals;
-        byte [] savedHashByteArray = savedHash.getBytes();
-        byte [] computedHashByteArray = computedHash.getBytes();
+        byte[] savedHashByteArray = savedHash.getBytes();
+        byte[] computedHashByteArray = computedHash.getBytes();
 
-        if(savedHashByteArray.length != computedHashByteArray.length){
-            return false;
-        } else {
-            for(int index = 0; index < savedHashByteArray.length; index++){
-                result |= savedHashByteArray[index] ^ computedHashByteArray[index];
-            }
-            equals = (result == 0);
-        }
-
-        return equals;
+        return MessageDigest.isEqual(savedHashByteArray, computedHashByteArray);
     }
 
     protected void checkHashFormatDurability() {
@@ -180,7 +171,7 @@
         Hash computed = this.hashService.computeHash(request);
         String formatted = this.hashFormat.format(computed);
 
-        return saved.equals(formatted);
+        return constantEquals(saved, formatted);
     }
 
     protected HashRequest buildHashRequest(ByteSource plaintext, Hash saved) {