PBKDF2.Compare assumes equal string lengths

[rfluit]

The compare function of PBKDF2 uses Math.Min to check which string is the shortest to prevent index out of bounds exceptions. However, if the two strings are not of an equal length but the longer string starts with the shorter string, the function returns true:

var pbkdf2 = new PBKDF2(); var ret = pbkdf2.Compare("foo", "foobar"); // ret is now true

To fix this, the result variable should not be initialized by 0, but by the result of a string length comparison:

int result = passwordHash1.Length ^ passwordHash2.Length;

[starbuck3000]

Hi, Considering that both strings are hashes, wouldn't it be okay to assume they both have the same length?