John,
Thanks for working on this. It looks like you're going to extra
trouble to hide timing information about the length of the target
string. In most cases such as HMAC, this isn't important. However, for
plaintext passwords it could be. What will this be used for?
Your ternary operator on the following line introduces a branch
anyway, revealing timing information about the length of a and b:
((a.length == b.length) ? 0 : 1);
If you continue with the goal of not revealing length information,
this could be:
int diff = a.length ^ b.length;
In Java, I don't think anyone tries to prevent null pointer
exceptions. The reference to a.length and b.length will trigger this
exception if either argument is null. I guess you could catch that
exception and return false but you should check with other developers
if that is desired behavior.
I also don't think you should have special handling for zero-length
strings at all. Just returning false immediately if a.length !=
b.length should be sufficient.
The function should probably be called something other than "equals()"
to give more info about its implementation.
The most important thing is to figure out what this will be used for.
If only HMAC, removing the attempt to hide lengths would simplify the
code tremendously.
--
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/oauth?hl=en.
