From f3751d70787fd8ab93932a51c60514c2eb37cb58 Mon Sep 17 00:00:00 2001
From: Simone Bordet <simone.bordet@gmail.com>
Date: Tue, 16 May 2017 16:34:04 +0200
Subject: [PATCH] Issue #1556 - A timing channel in Password.java.

Fixed comparison logic, doh.
---
 .../java/org/eclipse/jetty/util/security/Credential.java  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
index 77692d35c4b..020a5a7b941 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
@@ -84,9 +84,9 @@ public abstract class Credential implements Serializable
             return true;
         if (s1 == null || s2 == null || s1.length() != s2.length())
             return false;
-        boolean result = false;
+        boolean result = true;
         for (int i = 0; i < s1.length(); i++)
-            result |= s1.charAt(i) == s2.charAt(i);
+            result &= s1.charAt(i) == s2.charAt(i);
         return result;
     }
 
@@ -103,9 +103,9 @@ public abstract class Credential implements Serializable
             return true;
         if (b1 == null || b2 == null || b1.length != b2.length)
             return false;
-        boolean result = false;
+        boolean result = true;
         for (int i = 0; i < b1.length; i++)
-            result |= b1[i] == b2[i];
+            result &= b1[i] == b2[i];
         return result;
     }