corrected constant time equals.

Author: dghgit

core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java

@@ -309,7 +309,7 @@ private static boolean doCheckPassword(
         boolean isEqual = sLength == newBcryptString.length();
         for (int i = 0; i != sLength; i++)
         {
-            isEqual &= (bcryptString.indexOf(i) == newBcryptString.indexOf(i));
+            isEqual &= (bcryptString.charAt(i) == newBcryptString.charAt(i));
         }
         return isEqual;
     }

core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java

@@ -1,5 +1,7 @@
 package org.bouncycastle.crypto.test;
 
+import java.security.SecureRandom;
+
 import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
 import org.bouncycastle.util.Strings;
 import org.bouncycastle.util.test.SimpleTest;
@@ -199,6 +201,24 @@ public void performTest()
                 fail("twoBVec mismatch: " + "[" + i + "] " + password);
             }
         }
+
+
+        int costFactor = 4;
+        SecureRandom random = new SecureRandom();
+        salt = new byte[16];
+        for (int i = 0; i < 1000; i++)
+        {
+            random.nextBytes(salt);
+            final String tokenString = OpenBSDBCrypt
+                .generate("test-token".toCharArray(), salt, costFactor);
+
+            isTrue(OpenBSDBCrypt.checkPassword(tokenString, "test-token".toCharArray()));
+            isTrue(!OpenBSDBCrypt.checkPassword(tokenString, "wrong-token".toCharArray()));
+        }
     }
+
+
+
+
 }