This is an automated email from the ASF dual-hosted git repository. markt-asf pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit ebdce4eed4c2a7ba1334902973c4b320e414c481 Author: Mark Thomas <[email protected]> AuthorDate: Fri May 1 11:43:42 2026 +0100 Follow-up to AJP switch to constant time for secret comparison Implements some suggestions from a CoPilot review Align implementations more closely Fix start offset bug --- java/org/apache/tomcat/util/security/ConstantTime.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/java/org/apache/tomcat/util/security/ConstantTime.java b/java/org/apache/tomcat/util/security/ConstantTime.java index 9a9d16b365..992cfdf825 100644 --- a/java/org/apache/tomcat/util/security/ConstantTime.java +++ b/java/org/apache/tomcat/util/security/ConstantTime.java @@ -107,18 +107,18 @@ public class ConstantTime { return len1 == 0; } - boolean result = true; - result &= (len1 == len2); + int result = 0; + result |= len1 - len2; // time-constant comparison for (int i = 0; i < len1; i++) { // If i >= len2, index2 is 0; otherwise, i. final int index2 = ((i - len2) >>> 31) * i; - byte b = bytes[i]; + byte b = bytes[bc.getStart() + i]; char c = s.charAt(index2); - result &= (b == c); + result |= (b & 0xFF) ^ c; } - return result; + return result == 0; } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
