This is an automated email from the ASF dual-hosted git repository. markt-asf pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 6a8ad1a9025db7b6d3c8fd4272ce9b9ca08a9b93 Author: Mark Thomas <[email protected]> AuthorDate: Fri May 1 11:53:18 2026 +0100 A few more places were constant time comparisons could be used Identified by CoPilot --- java/org/apache/catalina/realm/DigestCredentialHandlerBase.java | 2 +- java/org/apache/catalina/realm/MessageDigestCredentialHandler.java | 5 ++--- java/org/apache/catalina/realm/RealmBase.java | 3 ++- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java b/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java index a3edbeb547..a18d711adc 100644 --- a/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java +++ b/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java @@ -192,7 +192,7 @@ public abstract class DigestCredentialHandlerBase implements CredentialHandler { return false; } - return DigestCredentialHandlerBase.equals(storedHexEncoded, inputHexEncoded, true); + return ConstantTime.equals(storedHexEncoded, inputHexEncoded, true); } diff --git a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java index eb79b3fbc4..766cde8d92 100644 --- a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java +++ b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java @@ -20,7 +20,6 @@ import java.io.UnsupportedEncodingException; import java.nio.charset.Charset; import java.nio.charset.StandardCharsets; import java.security.NoSuchAlgorithmException; -import java.util.Arrays; import java.util.Base64; import org.apache.juli.logging.Log; @@ -147,7 +146,7 @@ public class MessageDigestCredentialHandler extends DigestCredentialHandlerBase byte[] userDigestBytes = ConcurrentMessageDigest.digest(getAlgorithm(), inputCredentials.getBytes(StandardCharsets.ISO_8859_1), serverSaltBytes); - return Arrays.equals(userDigestBytes, serverDigestBytes); + return ConstantTime.equals(userDigestBytes, serverDigestBytes); } else if (storedCredentials.indexOf('$') > -1) { return matchesSaltIterationsEncoded(inputCredentials, storedCredentials); } else { @@ -158,7 +157,7 @@ public class MessageDigestCredentialHandler extends DigestCredentialHandlerBase // Root cause should be logged by mutate() return false; } - return storedCredentials.equalsIgnoreCase(userDigest); + return ConstantTime.equals(storedCredentials, userDigest, true); } } } diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java index 64d9685c25..2557ddb78e 100644 --- a/java/org/apache/catalina/realm/RealmBase.java +++ b/java/org/apache/catalina/realm/RealmBase.java @@ -61,6 +61,7 @@ import org.apache.tomcat.util.descriptor.web.SecurityCollection; import org.apache.tomcat.util.descriptor.web.SecurityConstraint; import org.apache.tomcat.util.res.StringManager; import org.apache.tomcat.util.security.ConcurrentMessageDigest; +import org.apache.tomcat.util.security.ConstantTime; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; @@ -416,7 +417,7 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm { "digestA2:" + digestA2 + " Server digest:" + serverDigest); } - if (serverDigest.equals(clientDigest)) { + if (ConstantTime.equals(serverDigest, clientDigest, true)) { return getPrincipal(username); } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
