Use constant-time array comparison

y-a-n-n · y-a-n-n · commit 9e38bbf6e29a · 2021-02-15T11:26:26.000+10:30
diff --git a/src/main/java/com/smartmovesystems/hashcheck/FirebaseScrypt.java b/src/main/java/com/smartmovesystems/hashcheck/FirebaseScrypt.java
@@ -10,7 +10,7 @@
 import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
 import java.security.Key;
-import java.util.Arrays;
+import java.security.MessageDigest;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -71,7 +71,7 @@ public static boolean check(String passwd, String knownCipherText, String salt,
 
         byte[] knownCipherTextBytes = Base64.decodeBase64(knownCipherText.getBytes(CHARSET));
 
-        return Arrays.equals(knownCipherTextBytes, cipherTextBytes);
+        return MessageDigest.isEqual(knownCipherTextBytes, cipherTextBytes);
     }
 
     private static Key generateKeyFromString(byte[] keyVal) {
