fix(security): Timing Attack Vulnerability

jorsol · jorsol · commit e0b0cf99f054 · 2025-09-16T19:51:50.000+02:00
A timing attack vulnerability exists in the SCRAM Java implementation.
The issue arises because Arrays.equals was used to compare secret values
such as client proofs and server signatures. Since Arrays.equals
performs a short-circuit comparison, the execution time varies depending
on how many leading bytes match. This behavior could allow an attacker
to perform a timing side-channel attack and potentially infer sensitive
authentication material. All users relying on SCRAM authentication are
impacted.

This vulnerability has been patched by replacing Arrays.equals with
MessageDigest.isEqual, which ensures constant-time comparison.
diff --git a/checks/forbiddenapis.txt b/checks/forbiddenapis.txt
@@ -0,0 +1,2 @@
+
+java.util.Arrays#equals(byte[],byte[]) @ Replace with java.security.MessageDigest#isEqual(byte[],byte[])
diff --git a/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java b/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java
@@ -7,8 +7,8 @@
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
+import java.security.MessageDigest;
 import java.security.SecureRandom;
-import java.util.Arrays;
 
 import com.ongres.scram.common.util.Preconditions;
 import org.jetbrains.annotations.NotNull;
@@ -190,8 +190,7 @@ public static boolean verifyClientProof(
     byte[] clientSignature = clientSignature(scramMechanism, storedKey, authMessage);
     byte[] clientKey = CryptoUtil.xor(clientSignature, clientProof);
     byte[] computedStoredKey = hash(scramMechanism, clientKey);
-
-    return Arrays.equals(storedKey, computedStoredKey);
+    return MessageDigest.isEqual(storedKey, computedStoredKey);
   }
 
   /**
@@ -205,7 +204,8 @@ public static boolean verifyClientProof(
    */
   public static boolean verifyServerSignature(
       ScramMechanism scramMechanism, byte[] serverKey, String authMessage, byte[] serverSignature) {
-    return Arrays.equals(serverSignature(scramMechanism, serverKey, authMessage), serverSignature);
+    byte[] computedServerSignature = serverSignature(scramMechanism, serverKey, authMessage);
+    return MessageDigest.isEqual(serverSignature, computedServerSignature);
   }
 
   /**
diff --git a/scram-parent/pom.xml b/scram-parent/pom.xml
@@ -530,6 +530,9 @@
                 <!-- don't allow System.out or System.err: -->
                 <bundledSignature>jdk-system-out</bundledSignature>
               </bundledSignatures>
+              <signaturesFiles>
+                <signaturesFile>${checks.location}/forbiddenapis.txt</signaturesFile>
+              </signaturesFiles>
             </configuration>
             <executions>
               <execution>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+`
	`2`	`+java.util.Arrays#equals(byte[],byte[]) @ Replace with java.security.MessageDigest#isEqual(byte[],byte[])`