Use CryptographicOperations.FixedTimeEquals (#9798)
This commit is contained in:
parent
2767e69bdd
commit
2b2aeee9f8
|
|
@ -65,26 +65,6 @@ namespace Microsoft.AspNetCore.Identity
|
||||||
_rng = options.Rng;
|
_rng = options.Rng;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
|
|
||||||
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
|
|
||||||
private static bool ByteArraysEqual(byte[] a, byte[] b)
|
|
||||||
{
|
|
||||||
if (a == null && b == null)
|
|
||||||
{
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
if (a == null || b == null || a.Length != b.Length)
|
|
||||||
{
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
var areSame = true;
|
|
||||||
for (var i = 0; i < a.Length; i++)
|
|
||||||
{
|
|
||||||
areSame &= (a[i] == b[i]);
|
|
||||||
}
|
|
||||||
return areSame;
|
|
||||||
}
|
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Returns a hashed representation of the supplied <paramref name="password"/> for the specified <paramref name="user"/>.
|
/// Returns a hashed representation of the supplied <paramref name="password"/> for the specified <paramref name="user"/>.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
|
|
@ -242,7 +222,7 @@ namespace Microsoft.AspNetCore.Identity
|
||||||
|
|
||||||
// Hash the incoming password and verify it
|
// Hash the incoming password and verify it
|
||||||
byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, Pbkdf2Prf, Pbkdf2IterCount, Pbkdf2SubkeyLength);
|
byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, Pbkdf2Prf, Pbkdf2IterCount, Pbkdf2SubkeyLength);
|
||||||
return ByteArraysEqual(actualSubkey, expectedSubkey);
|
return CryptographicOperations.FixedTimeEquals(actualSubkey, expectedSubkey);
|
||||||
}
|
}
|
||||||
|
|
||||||
private static bool VerifyHashedPasswordV3(byte[] hashedPassword, string password, out int iterCount)
|
private static bool VerifyHashedPasswordV3(byte[] hashedPassword, string password, out int iterCount)
|
||||||
|
|
@ -275,7 +255,7 @@ namespace Microsoft.AspNetCore.Identity
|
||||||
|
|
||||||
// Hash the incoming password and verify it
|
// Hash the incoming password and verify it
|
||||||
byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, prf, iterCount, subkeyLength);
|
byte[] actualSubkey = KeyDerivation.Pbkdf2(password, salt, prf, iterCount, subkeyLength);
|
||||||
return ByteArraysEqual(actualSubkey, expectedSubkey);
|
return CryptographicOperations.FixedTimeEquals(actualSubkey, expectedSubkey);
|
||||||
}
|
}
|
||||||
catch
|
catch
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue