aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGreg Wilkins2014-07-16 22:42:59 (EDT)
committerGreg Wilkins2014-07-16 22:42:59 (EDT)
commit12b522d7963cce13a30bd1e91a7499d9ab23206b (patch)
tree71d7327f5f20070f6715d9a8d3bf3e24d54c3de7
parent3a5e67ce9e3be6a4f442a4b699c846cf8f1caeee (diff)
downloadorg.eclipse.jetty.project-12b522d7963cce13a30bd1e91a7499d9ab23206b.zip
org.eclipse.jetty.project-12b522d7963cce13a30bd1e91a7499d9ab23206b.tar.gz
org.eclipse.jetty.project-12b522d7963cce13a30bd1e91a7499d9ab23206b.tar.bz2
439507 Avoid timing leak in MD5 compare
Also-by: Benny Baumann<BenBE@cacert.org>
-rw-r--r--jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java10
1 files changed, 6 insertions, 4 deletions
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
index 1feb604..da5ec84 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
@@ -160,17 +160,19 @@ public abstract class Credential implements Serializable
digest = __md.digest();
}
if (digest == null || digest.length != _digest.length) return false;
+ boolean match=true;
for (int i = 0; i < digest.length; i++)
- if (digest[i] != _digest[i]) return false;
- return true;
+ match&=digest[i] != _digest[i];
+ return match;
}
else if (credentials instanceof MD5)
{
MD5 md5 = (MD5) credentials;
if (_digest.length != md5._digest.length) return false;
+ boolean match=true;
for (int i = 0; i < _digest.length; i++)
- if (_digest[i] != md5._digest[i]) return false;
- return true;
+ match&=(_digest[i] != md5._digest[i]);
+ return match;
}
else if (credentials instanceof Credential)
{