Mercurial > hg > release > icedtea7-forest-2.1 > jdk

changeset 1938:4fbe48c706a4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6863503: SECURITY: MessageDigest.isEqual introduces timing attack vulnerabilities Reviewed-by: mullan, wetmore
author vinnie
date Thu, 24 Sep 2009 22:50:41 +0100
parents b19f5dc13e8c
children bd68e9dd50c8
files src/share/classes/java/security/MessageDigest.java
diffstat 1 files changed, 8 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/java/security/MessageDigest.java	Mon Sep 14 11:46:16 2009 +0400
+++ b/src/share/classes/java/security/MessageDigest.java	Thu Sep 24 22:50:41 2009 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright 1996-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1996-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -414,16 +414,17 @@
      *
      * @return true if the digests are equal, false otherwise.
      */
-    public static boolean isEqual(byte digesta[], byte digestb[]) {
-        if (digesta.length != digestb.length)
+    public static boolean isEqual(byte[] digesta, byte[] digestb) {
+        if (digesta.length != digestb.length) {
             return false;
+        }
 
+        int result = 0;
+        // time-constant comparison
         for (int i = 0; i < digesta.length; i++) {
-            if (digesta[i] != digestb[i]) {
-                return false;
-            }
+            result |= digesta[i] ^ digestb[i];
         }
-        return true;
+        return result == 0;
     }
 
     /**