[GitHub] [kafka] omkreddy commented on a change in pull request #10978: MINOR: Use time constant algorithms when comparing passwords or keys

GitBox Wed, 07 Jul 2021 03:36:51 -0700


omkreddy commented on a change in pull request #10978:
URL: https://github.com/apache/kafka/pull/10978#discussion_r665251346




##########
File path: 
clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainServerCallbackHandler.java
##########
@@ -65,7 +65,7 @@ protected boolean authenticate(String username, char[] 
password) throws IOExcept
             String expectedPassword = 
JaasContext.configEntryOption(jaasConfigEntries,
                     JAAS_USER_PREFIX + username,
                     PlainLoginModule.class.getName());
-            return expectedPassword != null && Arrays.equals(password, 
expectedPassword.toCharArray());
+            return expectedPassword != null && Utils.isEqual(password, 
expectedPassword.toCharArray());

Review comment:
       How about using `MessageDigest.isEqual` method here also:
   
   ```
   MessageDigest.isEqual(new String(password).getBytes(StandardCharsets.UTF_8), 
expectedPassword.getBytes(StandardCharsets.UTF_8)`
   ```
   
   cc @rajinisivaram 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [kafka] omkreddy commented on a change in pull request #10978: MINOR: Use time constant algorithms when comparing passwords or keys

Reply via email to