Add constant time equals

Author: patrickfav

CHANGELOG

@@ -7,6 +7,7 @@
  * rename `toObjectArray()` to `toBoxedArray()` (will be removed in 1.0)
  * add appendNullSafe and append string with encoding
  * add proguard optimized version (can be used with classifier 'optimized')
+ * add constant time equals
 
 ## v0.4.6
 

src/main/java/at/favre/lib/bytes/Bytes.java

@@ -1622,6 +1622,18 @@ public boolean equals(byte[] anotherArray) {
         return anotherArray != null && Arrays.equals(internalArray(), anotherArray);
     }
 
+    /**
+     * Compares the inner array with given array. The comparison is done in constant time, therefore
+     * will not break on the first mismatch. This method is useful to prevent some side-channel attacks,
+     * but is slower on average.
+     *
+     * @param anotherArray to compare with
+     * @return true if {@link Arrays#equals(byte[], byte[])} returns true on given and internal array
+     */
+    public boolean equalsConstantTime(byte[] anotherArray) {
+        return anotherArray != null && Util.constantTimeEquals(internalArray(), anotherArray);
+    }
+
     /**
      * Compares the inner array with given array.
      * Note: a <code>null</code> Byte will not be equal to a <code>0</code> byte

src/main/java/at/favre/lib/bytes/Util.java

@@ -433,6 +433,15 @@ static boolean equals(byte[] obj, Byte[] anotherArray) {
         return true;
     }
 
+    static boolean constantTimeEquals(byte[] obj, byte[] anotherArray) {
+        if (anotherArray == null || obj.length != anotherArray.length) return false;
+        boolean result = true;
+        for (int i = 0; i < obj.length; i++) {
+            result &= obj[i] == anotherArray[i];
+        }
+        return result;
+    }
+
     /*
     =================================================================================================
      Copyright 2011 Twitter, Inc.

src/test/java/at/favre/lib/bytes/BytesMiscTest.java

@@ -77,6 +77,13 @@ public void testEqualsWithArray() {
         assertFalse(Bytes.random(16).equals(new byte[16]));
     }
 
+    @Test
+    public void testEqualsWithConstantTime() {
+        assertTrue(Bytes.allocate(4).equalsConstantTime(new byte[4]));
+        assertFalse(Bytes.allocate(4).equalsConstantTime(new byte[3]));
+        assertFalse(Bytes.random(16).equalsConstantTime(new byte[16]));
+    }
+
     @Test
     public void testEqualsWithObjectArray() {
         assertFalse(Bytes.allocate(4).equals(new Byte[4]));