From: Felix Dörre <felix@dogcraft.de>
Date: Tue, 15 Jul 2014 22:18:14 +0000 (+0200)
Subject: Prevent timing attacks against hash check.
X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=1da751bbdb4c7146cfa257c8eeb12e9a96d1b9ff

Prevent timing attacks against hash check.
---

diff --git a/src/org/cacert/gigi/util/PasswordHash.java b/src/org/cacert/gigi/util/PasswordHash.java
index edc1ad53..71f75479 100644
--- a/src/org/cacert/gigi/util/PasswordHash.java
+++ b/src/org/cacert/gigi/util/PasswordHash.java
@@ -6,7 +6,14 @@ import java.security.NoSuchAlgorithmException;
 public class PasswordHash {
 	public static boolean verifyHash(String password, String hash) {
 		String newhash = sha1(password);
-		return newhash.equals(hash);
+		boolean match = true;
+		if (newhash.length() != hash.length()) {
+			match = false;
+		}
+		for (int i = 0; i < newhash.length(); i++) {
+			match &= newhash.charAt(i) == hash.charAt(i);
+		}
+		return match;
 	}
 
 	private static String sha1(String password) {