This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new f1a79c4304 A few more places were constant time comparisons could be
used
f1a79c4304 is described below
commit f1a79c4304d25f455ca474aee5573655871358e4
Author: Mark Thomas <[email protected]>
AuthorDate: Fri May 1 11:53:18 2026 +0100
A few more places were constant time comparisons could be used
Identified by CoPilot
---
java/org/apache/catalina/realm/DigestCredentialHandlerBase.java | 2 +-
java/org/apache/catalina/realm/MessageDigestCredentialHandler.java | 5 ++---
java/org/apache/catalina/realm/RealmBase.java | 3 ++-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java
b/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java
index a3edbeb547..a18d711adc 100644
--- a/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java
+++ b/java/org/apache/catalina/realm/DigestCredentialHandlerBase.java
@@ -192,7 +192,7 @@ public abstract class DigestCredentialHandlerBase
implements CredentialHandler {
return false;
}
- return DigestCredentialHandlerBase.equals(storedHexEncoded,
inputHexEncoded, true);
+ return ConstantTime.equals(storedHexEncoded, inputHexEncoded, true);
}
diff --git a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
index af64ecd0c3..4c460a0020 100644
--- a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
+++ b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
@@ -20,7 +20,6 @@ import java.io.UnsupportedEncodingException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
import java.util.Base64;
import org.apache.juli.logging.Log;
@@ -147,7 +146,7 @@ public class MessageDigestCredentialHandler extends
DigestCredentialHandlerBase
byte[] userDigestBytes =
ConcurrentMessageDigest.digest(getAlgorithm(),
inputCredentials.getBytes(StandardCharsets.ISO_8859_1), serverSaltBytes);
- return Arrays.equals(userDigestBytes, serverDigestBytes);
+ return ConstantTime.equals(userDigestBytes, serverDigestBytes);
} else if (storedCredentials.indexOf('$') > -1) {
return matchesSaltIterationsEncoded(inputCredentials,
storedCredentials);
} else {
@@ -158,7 +157,7 @@ public class MessageDigestCredentialHandler extends
DigestCredentialHandlerBase
// Root cause should be logged by mutate()
return false;
}
- return storedCredentials.equalsIgnoreCase(userDigest);
+ return ConstantTime.equals(storedCredentials, userDigest,
true);
}
}
}
diff --git a/java/org/apache/catalina/realm/RealmBase.java
b/java/org/apache/catalina/realm/RealmBase.java
index bb3771f231..dbe1bc6310 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -61,6 +61,7 @@ import
org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.apache.tomcat.util.res.StringManager;
import org.apache.tomcat.util.security.ConcurrentMessageDigest;
+import org.apache.tomcat.util.security.ConstantTime;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
@@ -424,7 +425,7 @@ public abstract class RealmBase extends LifecycleMBeanBase
implements Realm {
"digestA2:" + digestA2 + " Server digest:" + serverDigest);
}
- if (serverDigest.equals(clientDigest)) {
+ if (ConstantTime.equals(serverDigest, clientDigest, true)) {
return getPrincipal(username);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
