Prevent timing attacks against hash check.

diff --git a/src/org/cacert/gigi/util/PasswordHash.java b/src/org/cacert/gigi/util/PasswordHash.java
index edc1ad53a927782018c31e883be15a847192a243..71f7547979c9ae06c5a83ca2530fd0d9ca4763be 100644 (file)
--- a/src/org/cacert/gigi/util/PasswordHash.java
+++ b/src/org/cacert/gigi/util/PasswordHash.java
@@ -6,7 +6,14 @@ import java.security.NoSuchAlgorithmException;
 public class PasswordHash {
        public static boolean verifyHash(String password, String hash) {
                String newhash = sha1(password);
-               return newhash.equals(hash);
+               boolean match = true;
+               if (newhash.length() != hash.length()) {
+                       match = false;
+               }
+               for (int i = 0; i < newhash.length(); i++) {
+                       match &= newhash.charAt(i) == hash.charAt(i);
+               }
+               return match;
        }
 
        private static String sha1(String password) {