RFR: 8295919: java.security.MessageDigest.isEqual does not adhere to @implNote [v2]

Sean Mullan mullan at openjdk.org
Thu Sep 28 13:52:28 UTC 2023

On Wed, 27 Sep 2023 20:15:35 GMT, Kevin Driver <kdriver at openjdk.org> wrote:

>> Fix JDK-8295919 by updating the javadoc to explain that a null or zero-length `digestb` will also result in a short-circuit response
> Kevin Driver has updated the pull request incrementally with one additional commit since the last revision:
>   rephrased per code review

src/java.base/share/classes/java/security/MessageDigest.java line 461:

> 459:      * @implNote
> 460:      * All bytes in {@code digesta} are examined to determine equality, unless
> 461:      * {@code digestb} is null or has a length of zero bytes. If {@code digestb}

Use code font around "null" : `{@code null}`

src/java.base/share/classes/java/security/MessageDigest.java line 463:

> 461:      * {@code digestb} is null or has a length of zero bytes. If {@code digestb}
> 462:      * is not {@code null} and does not have a length of zero bytes, then the
> 463:      * calculation time depends only on the length of {@code digesta}.

Sorry, my last comment may have been not specific enough but I don't think you should remove the last sentence - I think that is still important to explain how it is implemented:

"It does not depend on the length of {@code digestb} or the contents of {@code digesta} and {@code digestb}."


PR Review Comment: https://git.openjdk.org/jdk/pull/15933#discussion_r1340188913
PR Review Comment: https://git.openjdk.org/jdk/pull/15933#discussion_r1340161981

More information about the security-dev mailing list