RFR: 8295919: java.security.MessageDigest.isEqual does not adhere to @implNote
Kevin Driver
kdriver at openjdk.org
Wed Sep 27 20:07:12 UTC 2023
On Wed, 27 Sep 2023 19:31:53 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Fix JDK-8295919 by updating the javadoc to explain that a null or zero-length `digestb` will also result in a short-circuit response
>
> src/java.base/share/classes/java/security/MessageDigest.java line 464:
>
>> 462: * It does not depend on the length of {@code digestb} or the contents
>> 463: * of {@code digesta} and {@code digestb}, unless {@code digestb} is null
>> 464: * or has a length of zero bytes.
>
> I think this new text should be moved earlier to the first sentence, since that first sentence is not always true given this condition. I suggest rewording the first two sentences as:
>
> "All bytes in {@code digesta} are examined to determine equality, unless {@code digestb} is {@code null}
> or has a length of zero bytes. If {@code digestb} is not {@code null} and does not have a length of zero bytes,
> then the calculation time depends only on the length of {@code digesta}."
Yeah, I wondered about that. Will do.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/15933#discussion_r1339147293
More information about the security-dev
mailing list