From 2b2aeee9f869ec43f65c188a66d9285858823628 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A9rald=20Barr=C3=A9?=
 <meziantou@users.noreply.github.com>
Date: Sat, 27 Apr 2019 02:46:21 -0400
Subject: [PATCH] Use CryptographicOperations.FixedTimeEquals (#9798)

---
 .../Extensions.Core/src/PasswordHasher.cs     | 26 +++----------------
 1 file changed, 3 insertions(+), 23 deletions(-)

diff --git a/src/Identity/Extensions.Core/src/PasswordHasher.cs b/src/Identity/Extensions.Core/src/PasswordHasher.cs
index ebc0ded3dc..a9ee0cd6bf 100644
--- a/src/Identity/Extensions.Core/src/PasswordHasher.cs
+++ b/src/Identity/Extensions.Core/src/PasswordHasher.cs
@@ -65,26 +65,6 @@ namespace Microsoft.AspNetCore.Identity
             _rng = options.Rng;
         }
 
-        // Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
-        [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
-        private static bool ByteArraysEqual(byte[] a, byte[] b)
-        {
-            if (a == null && b == null)
-            {
-                return true;
-            }
-            if (a == null || b == null || a.Length != b.Length)
-            {
-                return false;
-            }
-            var areSame = true;
-            for (var i = 0; i < a.Length; i++)
-            {
-                areSame &= (a[i] == b[i]);
-            }
-            return areSame;
-        }
-
         /// <summary>
         /// Returns a hashed representation of the supplied <paramref name="password"/> for the specified <paramref name="user"/>.
         /// </summary>
@@ -242,7 +222,7 @@ namespace Microsoft.AspNetCore.Identity
 
             // Hash the incoming password and verify it
             byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, Pbkdf2Prf, Pbkdf2IterCount, Pbkdf2SubkeyLength);
-            return ByteArraysEqual(actualSubkey, expectedSubkey);
+            return CryptographicOperations.FixedTimeEquals(actualSubkey, expectedSubkey);
         }
 
         private static bool VerifyHashedPasswordV3(byte[] hashedPassword, string password, out int iterCount)
@@ -275,7 +255,7 @@ namespace Microsoft.AspNetCore.Identity
 
                 // Hash the incoming password and verify it
                 byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, prf, iterCount, subkeyLength);
-                return ByteArraysEqual(actualSubkey, expectedSubkey);
+                return CryptographicOperations.FixedTimeEquals(actualSubkey, expectedSubkey);
             }
             catch
             {
@@ -294,4 +274,4 @@ namespace Microsoft.AspNetCore.Identity
             buffer[offset + 3] = (byte)(value >> 0);
         }
     }
-}
\ No newline at end of file
+}