From b5f247f73fb7e2b51ce8265f6ba0f4de0436360e Mon Sep 17 00:00:00 2001 From: Calvin Kirs Date: Fri, 7 Jul 2023 14:04:11 +0800 Subject: [PATCH] [Improve](mysql)ensure constant time for computing hash value (#21569) --- .../java/org/apache/doris/mysql/MysqlPassword.java | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlPassword.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlPassword.java index 9bf5b68529..91b0255f52 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlPassword.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlPassword.java @@ -29,7 +29,6 @@ import org.apache.logging.log4j.Logger; import java.io.UnsupportedEncodingException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.util.Arrays; import java.util.Random; // this is stolen from MySQL @@ -82,7 +81,7 @@ public class MysqlPassword { public static final byte PVERSION41_CHAR = '*'; private static final byte[] DIG_VEC_UPPER = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'}; - private static Random random = new Random(System.currentTimeMillis()); + private static final Random random = new Random(System.currentTimeMillis()); public static byte[] createRandomString(int len) { byte[] bytes = new byte[len]; @@ -141,10 +140,10 @@ public class MysqlPassword { // compute result2: SHA-1(result1) md.reset(); - byte[] candidateHash2 = md.digest(hashStage1); - - // compare result2 and hashStage2 - return Arrays.equals(candidateHash2, hashStage2); + md.update(hashStage1); + byte[] candidateHash2 = md.digest(); + // compare result2 and hashStage2 using MessageDigest.isEqual() + return MessageDigest.isEqual(candidateHash2, hashStage2); } // MySQL client use this function to form scramble password