Mercurial > hg > release > icedtea7-forest-2.1 > jdk
changeset 1938:4fbe48c706a4
6863503: SECURITY: MessageDigest.isEqual introduces timing attack vulnerabilities
Reviewed-by: mullan, wetmore
author | vinnie |
---|---|
date | Thu, 24 Sep 2009 22:50:41 +0100 |
parents | b19f5dc13e8c |
children | bd68e9dd50c8 |
files | src/share/classes/java/security/MessageDigest.java |
diffstat | 1 files changed, 8 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/java/security/MessageDigest.java Mon Sep 14 11:46:16 2009 +0400 +++ b/src/share/classes/java/security/MessageDigest.java Thu Sep 24 22:50:41 2009 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1996-2006 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 1996-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -414,16 +414,17 @@ * * @return true if the digests are equal, false otherwise. */ - public static boolean isEqual(byte digesta[], byte digestb[]) { - if (digesta.length != digestb.length) + public static boolean isEqual(byte[] digesta, byte[] digestb) { + if (digesta.length != digestb.length) { return false; + } + int result = 0; + // time-constant comparison for (int i = 0; i < digesta.length; i++) { - if (digesta[i] != digestb[i]) { - return false; - } + result |= digesta[i] ^ digestb[i]; } - return true; + return result == 0; } /**