Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Issue #1556 Timing attack

This commit is contained in:
Greg Wilkins 2017-08-18 11:38:55 +10:00
parent be970de6db
commit 201a11a899
1 changed files with 24 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
View File

@ -72,51 +72,47 @@ public abstract class Credential implements Serializable
} }
/** /**
* <p>Utility method that replaces String.equals() to avoid timing attacks.</p> * <p>Utility method that replaces String.equals() to avoid timing attacks.
* The length of the loop executed will always be the length of the unknown credential</p>
* *
* @param s1 the first string to compare * @param known the first string to compare (should be known string)
* @param s2 the second string to compare * @param unknown the second string to compare (should be the unknown string)
* @return whether the two strings are equal * @return whether the two strings are equal
*/ */
protected static boolean stringEquals(String s1, String s2) protected static boolean stringEquals(String known, String unknown)
{ {
if (s1 == s2) if (known == unknown)
return true; return true;
if (s1 == null || s2 == null) if (known == null || unknown == null)
return false; return false;
boolean result = true; boolean result = true;
int l1 = s1.length(); int l1 = known.length();
int l2 = s2.length(); int l2 = unknown.length();
if (l1 != l2) for (int i = 0; i < l2; ++i)
result = false; result &= known.charAt(i%l1) == unknown.charAt(i);
int l = Math.min(l1, l2); return result && l1 == l2;
for (int i = 0; i < l; ++i)
result &= s1.charAt(i) == s2.charAt(i);
return result;
} }
/** /**
* <p>Utility method that replaces Arrays.equals() to avoid timing attacks.</p> * <p>Utility method that replaces Arrays.equals() to avoid timing attacks.
* The length of the loop executed will always be the length of the unknown credential</p>
* *
* @param b1 the first byte array to compare * @param known the first byte array to compare (should be known value)
* @param b2 the second byte array to compare * @param unknown the second byte array to compare (should be unknown value)
* @return whether the two byte arrays are equal * @return whether the two byte arrays are equal
*/ */
protected static boolean byteEquals(byte[] b1, byte[] b2) protected static boolean byteEquals(byte[] known, byte[] unknown)
{ {
if (b1 == b2) if (known == unknown)
return true; return true;
if (b1 == null || b2 == null) if (known == null || unknown == null)
return false; return false;
boolean result = true; boolean result = true;
int l1 = b1.length; int l1 = known.length;
int l2 = b2.length; int l2 = unknown.length;
if (l1 != l2) for (int i = 0; i < l2; ++i)
result = false; result &= known[i%l1] == unknown[i];
int l = Math.min(l1, l2); return result && l1 == l2;
for (int i = 0; i < l; ++i)
result &= b1[i] == b2[i];
return result;
} }
/** /**