File CVE-2025-59432.patch of Package ongres-scram.41474

From b6f162e21fad5a1639c6fe0a4d3f84b3d1e5d55f Mon Sep 17 00:00:00 2001
From: Thomas Florio <thomas.florio@suse.com>
Date: Tue, 28 Oct 2025 08:58:17 +0100
Subject: [PATCH] fix(security): Timing Attack Vulnerability

---
 .../main/java/com/ongres/scram/common/ScramFunctions.java | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/common/src/main/java/com/ongres/scram/common/ScramFunctions.java b/common/src/main/java/com/ongres/scram/common/ScramFunctions.java
index 5f02706..35deaf1 100644
--- a/common/src/main/java/com/ongres/scram/common/ScramFunctions.java
+++ b/common/src/main/java/com/ongres/scram/common/ScramFunctions.java
@@ -28,7 +28,7 @@ import com.ongres.scram.common.stringprep.StringPreparation;
 import com.ongres.scram.common.util.CryptoUtil;
 
 import java.nio.charset.StandardCharsets;
-import java.util.Arrays;
+import java.security.MessageDigest;
 
 /**
  * Utility functions (e.g. crypto) for SCRAM.
@@ -230,8 +230,7 @@ public class ScramFunctions {
         byte[] clientSignature = clientSignature(scramMechanism, storedKey, authMessage);
         byte[] clientKey = CryptoUtil.xor(clientSignature, clientProof);
         byte[] computedStoredKey = hash(scramMechanism, clientKey);
-
-        return Arrays.equals(storedKey, computedStoredKey);
+        return MessageDigest.isEqual(storedKey, computedStoredKey);
     }
 
     /**
@@ -245,6 +244,7 @@ public class ScramFunctions {
     public static boolean verifyServerSignature(
             ScramMechanism scramMechanism, byte[] serverKey, String authMessage, byte[] serverSignature
     ) {
-        return Arrays.equals(serverSignature(scramMechanism, serverKey, authMessage), serverSignature);
+        byte[] computedServerSignature = serverSignature(scramMechanism, serverKey, authMessage);
+        return MessageDigest.isEqual(serverSignature, computedServerSignature);
     }
 }
-- 
2.51.0