This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 2e676264ce Follow-up to AJP switch to constant time for secret
comparison
2e676264ce is described below
commit 2e676264ce27448a4d4841e42c1238bd10ca3755
Author: Mark Thomas <[email protected]>
AuthorDate: Fri May 1 11:43:42 2026 +0100
Follow-up to AJP switch to constant time for secret comparison
Implements some suggestions from a CoPilot review
Align implementations more closely
Fix start offset bug
---
java/org/apache/tomcat/util/security/ConstantTime.java | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/security/ConstantTime.java
b/java/org/apache/tomcat/util/security/ConstantTime.java
index 9a9d16b365..992cfdf825 100644
--- a/java/org/apache/tomcat/util/security/ConstantTime.java
+++ b/java/org/apache/tomcat/util/security/ConstantTime.java
@@ -107,18 +107,18 @@ public class ConstantTime {
return len1 == 0;
}
- boolean result = true;
- result &= (len1 == len2);
+ int result = 0;
+ result |= len1 - len2;
// time-constant comparison
for (int i = 0; i < len1; i++) {
// If i >= len2, index2 is 0; otherwise, i.
final int index2 = ((i - len2) >>> 31) * i;
- byte b = bytes[i];
+ byte b = bytes[bc.getStart() + i];
char c = s.charAt(index2);
- result &= (b == c);
+ result |= (b & 0xFF) ^ c;
}
- return result;
+ return result == 0;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
