huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Use CryptographicOperations.FixedTimeEquals (#9798)

This commit is contained in:
Gérald Barré 2019-04-27 02:46:21 -04:00 committed by David Fowler
parent 2767e69bdd
commit 2b2aeee9f8
1 changed files with 3 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/Identity/Extensions.Core/src/PasswordHasher.cs
View File

@ -65,26 +65,6 @@ namespace Microsoft.AspNetCore.Identity
_rng = options.Rng;
}
// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)
{
if (a == null && b == null)
{
return true;
}
if (a == null || b == null || a.Length != b.Length)
{
return false;
}
var areSame = true;
for (var i = 0; i < a.Length; i++)
{
areSame &= (a[i] == b[i]);
}
return areSame;
}
/// <summary>
/// Returns a hashed representation of the supplied <paramref name="password"/> for the specified <paramref name="user"/>.
/// </summary>
@ -242,7 +222,7 @@ namespace Microsoft.AspNetCore.Identity
// Hash the incoming password and verify it
byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, Pbkdf2Prf, Pbkdf2IterCount, Pbkdf2SubkeyLength);
return ByteArraysEqual(actualSubkey, expectedSubkey);
return CryptographicOperations.FixedTimeEquals(actualSubkey, expectedSubkey);
}
private static bool VerifyHashedPasswordV3(byte[] hashedPassword, string password, out int iterCount)
@ -275,7 +255,7 @@ namespace Microsoft.AspNetCore.Identity
// Hash the incoming password and verify it
byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, prf, iterCount, subkeyLength);
return ByteArraysEqual(actualSubkey, expectedSubkey);
return CryptographicOperations.FixedTimeEquals(actualSubkey, expectedSubkey);
}
catch
{
@ -294,4 +274,4 @@ namespace Microsoft.AspNetCore.Identity
buffer[offset + 3] = (byte)(value >> 0);
}
}
}
}