diff --git a/src/Identity/Extensions.Core/src/PasswordHasher.cs b/src/Identity/Extensions.Core/src/PasswordHasher.cs index ebc0ded3dc..a9ee0cd6bf 100644 --- a/src/Identity/Extensions.Core/src/PasswordHasher.cs +++ b/src/Identity/Extensions.Core/src/PasswordHasher.cs @@ -65,26 +65,6 @@ namespace Microsoft.AspNetCore.Identity _rng = options.Rng; } - // Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized. - [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)] - private static bool ByteArraysEqual(byte[] a, byte[] b) - { - if (a == null && b == null) - { - return true; - } - if (a == null || b == null || a.Length != b.Length) - { - return false; - } - var areSame = true; - for (var i = 0; i < a.Length; i++) - { - areSame &= (a[i] == b[i]); - } - return areSame; - } - /// /// Returns a hashed representation of the supplied for the specified . /// @@ -242,7 +222,7 @@ namespace Microsoft.AspNetCore.Identity // Hash the incoming password and verify it byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, Pbkdf2Prf, Pbkdf2IterCount, Pbkdf2SubkeyLength); - return ByteArraysEqual(actualSubkey, expectedSubkey); + return CryptographicOperations.FixedTimeEquals(actualSubkey, expectedSubkey); } private static bool VerifyHashedPasswordV3(byte[] hashedPassword, string password, out int iterCount) @@ -275,7 +255,7 @@ namespace Microsoft.AspNetCore.Identity // Hash the incoming password and verify it byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, prf, iterCount, subkeyLength); - return ByteArraysEqual(actualSubkey, expectedSubkey); + return CryptographicOperations.FixedTimeEquals(actualSubkey, expectedSubkey); } catch { @@ -294,4 +274,4 @@ namespace Microsoft.AspNetCore.Identity buffer[offset + 3] = (byte)(value >> 0); } } -} \ No newline at end of file +}