From 1da751bbdb4c7146cfa257c8eeb12e9a96d1b9ff Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Wed, 16 Jul 2014 00:18:14 +0200
Subject: [PATCH] Prevent timing attacks against hash check.

---
 src/org/cacert/gigi/util/PasswordHash.java | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/org/cacert/gigi/util/PasswordHash.java b/src/org/cacert/gigi/util/PasswordHash.java
index edc1ad53..71f75479 100644
--- a/src/org/cacert/gigi/util/PasswordHash.java
+++ b/src/org/cacert/gigi/util/PasswordHash.java
@@ -6,7 +6,14 @@ import java.security.NoSuchAlgorithmException;
 public class PasswordHash {
 	public static boolean verifyHash(String password, String hash) {
 		String newhash = sha1(password);
-		return newhash.equals(hash);
+		boolean match = true;
+		if (newhash.length() != hash.length()) {
+			match = false;
+		}
+		for (int i = 0; i < newhash.length(); i++) {
+			match &= newhash.charAt(i) == hash.charAt(i);
+		}
+		return match;
 	}
 
 	private static String sha1(String password) {
-- 
2.39.2