Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

439507 Avoid timing leak in MD5 compare 

Also-by: Benny Baumann<BenBE@cacert.org>
This commit is contained in:
Greg Wilkins 2014-07-17 12:42:59 +10:00
parent 3a5e67ce9e
commit 12b522d796
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
View File

@ -160,17 +160,19 @@ public abstract class Credential implements Serializable
digest = __md.digest();
}
if (digest == null || digest.length != _digest.length) return false;
boolean match=true;
for (int i = 0; i < digest.length; i++)
if (digest[i] != _digest[i]) return false;
return true;
match&=digest[i] != _digest[i];
return match;
}
else if (credentials instanceof MD5)
{
MD5 md5 = (MD5) credentials;
if (_digest.length != md5._digest.length) return false;
boolean match=true;
for (int i = 0; i < _digest.length; i++)
if (_digest[i] != md5._digest[i]) return false;
return true;
match&=(_digest[i] != md5._digest[i]);
return match;
}
else if (credentials instanceof Credential)
{