[SHIRO-547] Use MessageDigest#isEqual() instead of Arrays#equals() for comparing digests - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.2.4, 2.0.0-alpha
Fix Version/s: 1.3.0
Component/s: Authentication (log-in), Cryptography & Hashing
Labels:
- patch

Flags:

Patch

Description

While looking through shiro code I noticed that there are three places which compare byte[]s representing hashes using `Arrays#equals()`

To avoid potential timing attacks these should be using `MessageDigest#isEqual()`, which at least starting with Java 6u17 uses a constant-time comparison.

I'm not sure which Java version shiro targets, but it might make sense to either require Java 7, or to at least strongly suggest this in the documentation.

Attached a patch against trunk, but please also consider fixing this in the 1.2 branch.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

shiro-547-messagedigest.diff
23/Oct/15 12:41
2 kB
Andreas Kohn

Activity

People

Assignee:: Unassigned

Reporter:: Andreas Kohn

Votes:: 1 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Oct/15 12:41

Updated:: 01/Jul/16 21:24

Resolved:: 01/Jul/16 21:24