Andreas Kohn created SHIRO-547:
----------------------------------
Summary: Use MessageDigest#isEqual() instead of Arrays#equals()
for comparing digests
Key: SHIRO-547
URL: https://issues.apache.org/jira/browse/SHIRO-547
Project: Shiro
Issue Type: Bug
Components: Authentication (log-in), Cryptography & Hashing
Affects Versions: 1.2.4, 2.0.0
Reporter: Andreas Kohn
While looking through shiro code I noticed that there are three places which
compare byte[]s representing hashes using `Arrays#equals()`
To avoid potential timing attacks these should be using
`MessageDigest#isEqual()`, which at least starting with Java 6u17 uses a
constant-time comparison.
I'm not sure which Java version shiro targets, but it might make sense to
either require Java 7, or to at least strongly suggest this in the
documentation.
Attached a patch against trunk, but please also consider fixing this in the 1.2
branch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
