Issue #1556 - A timing channel in Password.java.

Improved logic to avoid timing attacks: now the password length cannot be inferred.
2017-05-18 21:09:16 +02:00 · 2017-05-18 21:09:16 +02:00 · 2baa1abe4b
parent f3751d7078
commit 2baa1abe4b
1 changed files with 14 additions and 4 deletions
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
@ -82,10 +82,15 @@ public abstract class Credential implements Serializable
    {
        if (s1 == s2)
            return true;
-        if (s1 == null || s2 == null || s1.length() != s2.length())
+        if (s1 == null || s2 == null)
            return false;
        boolean result = true;
-        for (int i = 0; i < s1.length(); i++)
+        int l1 = s1.length();
+        int l2 = s2.length();
+        if (l1 != l2)
+            result = false;
+        int l = Math.min(l1, l2);
+        for (int i = 0; i < l; ++i)
            result &= s1.charAt(i) == s2.charAt(i);
        return result;
    }
@ -101,10 +106,15 @@ public abstract class Credential implements Serializable
    {
        if (b1 == b2)
            return true;
-        if (b1 == null || b2 == null || b1.length != b2.length)
+        if (b1 == null || b2 == null)
            return false;
        boolean result = true;
-        for (int i = 0; i < b1.length; i++)
+        int l1 = b1.length;
+        int l2 = b2.length;
+        if (l1 != l2)
+            result = false;
+        int l = Math.min(l1, l2);
+        for (int i = 0; i < l; ++i)
            result &= b1[i] == b2[i];
        return result;
    }