From 837fb1a8a4a85f1f42009a8c487f64ff09a08507 Mon Sep 17 00:00:00 2001
From: luisa-ball <159193427+luisa-ball@users.noreply.github.com>
Date: Fri, 4 Oct 2024 18:29:29 -0400
Subject: [PATCH] [ELY-2814] Update UnixSHACryptPasswordImpl to make use of
 MessageDigest#isEqual to avoid a potential timing attack

https://issues.redhat.com/browse/ELY-2814
---
 .../security/password/impl/UnixSHACryptPasswordImpl.java        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/password/impl/src/main/java/org/wildfly/security/password/impl/UnixSHACryptPasswordImpl.java b/password/impl/src/main/java/org/wildfly/security/password/impl/UnixSHACryptPasswordImpl.java
index 71e51451b04..06c7341363f 100644
--- a/password/impl/src/main/java/org/wildfly/security/password/impl/UnixSHACryptPasswordImpl.java
+++ b/password/impl/src/main/java/org/wildfly/security/password/impl/UnixSHACryptPasswordImpl.java
@@ -435,7 +435,7 @@ public boolean equals(final Object obj) {
             return false;
         }
         UnixSHACryptPasswordImpl other = (UnixSHACryptPasswordImpl) obj;
-        return iterationCount == other.iterationCount && algorithm.equals(other.algorithm) && Arrays.equals(hash, other.hash) && Arrays.equals(salt, other.salt);
+        return iterationCount == other.iterationCount && algorithm.equals(other.algorithm) && MessageDigest.isEqual(hash, other.hash) && MessageDigest.isEqual(salt, other.salt);
     }
 
     private void readObject(ObjectInputStream ignored) throws NotSerializableException {