6863503: SECURITY: MessageDigest.isEqual introduces timing attack vulnerabilities

Reviewed-by: mullan, wetmore
2009-09-24 22:50:41 +01:00 · 2009-09-24 22:50:41 +01:00 · b56db81425
commit b56db81425
parent 1e716786f0
1 changed files with 10 additions and 9 deletions
--- a/jdk/src/share/classes/java/security/MessageDigest.java
+++ b/jdk/src/share/classes/java/security/MessageDigest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 1996-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1996-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -414,16 +414,17 @@ public abstract class MessageDigest extends MessageDigestSpi {
     *
     * @return true if the digests are equal, false otherwise.
     */
-    public static boolean isEqual(byte digesta[], byte digestb[]) {
-        if (digesta.length != digestb.length)
+    public static boolean isEqual(byte[] digesta, byte[] digestb) {
+        if (digesta.length != digestb.length) {
            return false;
-
-        for (int i = 0; i < digesta.length; i++) {
-            if (digesta[i] != digestb[i]) {
-                return false;
-            }
        }
-        return true;
+
+        int result = 0;
+        // time-constant comparison
+        for (int i = 0; i < digesta.length; i++) {
+            result |= digesta[i] ^ digestb[i];
+        }
+        return result == 0;
    }

    /**