You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2021/07/07 11:37:11 UTC

[GitHub] [kafka] rajinisivaram commented on a change in pull request #10978: MINOR: Use time constant algorithms when comparing passwords or keys

rajinisivaram commented on a change in pull request #10978:
URL: https://github.com/apache/kafka/pull/10978#discussion_r665288314



##########
File path: clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainServerCallbackHandler.java
##########
@@ -65,7 +65,7 @@ protected boolean authenticate(String username, char[] password) throws IOExcept
             String expectedPassword = JaasContext.configEntryOption(jaasConfigEntries,
                     JAAS_USER_PREFIX + username,
                     PlainLoginModule.class.getName());
-            return expectedPassword != null && Arrays.equals(password, expectedPassword.toCharArray());
+            return expectedPassword != null && Utils.isEqual(password, expectedPassword.toCharArray());

Review comment:
       Yes, it should be safe to convert to bytes and compare using MessageDigest.isEqual since SASL/PLAIN uses UTF8. Means more object creation, but that shouldn't be an issue. Utils.isEqual() may be worth adding if we think we may use it in other places as well in future for constant time array comparisons (in which case, we can make it generic).




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org