Polish PasswordEncoderUtils do not leak length

Fix possible / 0 if expected is empty String.

Issue gh-255

core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java

@@ -38,7 +38,7 @@ class PasswordEncoderUtils {
 
 		int result = expectedLength == actualLength ? 0 : 1;
 		for (int i = 0; i < actualLength; i++) {
-			byte expectedByte = expectedBytes == null ? 0 : expectedBytes[i % expectedLength];
+			byte expectedByte = expectedLength <= 0 ? 0 : expectedBytes[i % expectedLength];
 			byte actualByte = actualBytes[i % actualLength];
 			result |= expectedByte ^ actualByte;
 		}

core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java

@@ -47,6 +47,12 @@ public class PasswordEncoderUtilsTests {
 		assertThat(PasswordEncoderUtils.equals("", null)).isFalse();
 	}
 
+	@Test
+	public void equalsWhenNotEmptyAndEmptyThenFalse() {
+		assertThat(PasswordEncoderUtils.equals("abc", "")).isFalse();
+		assertThat(PasswordEncoderUtils.equals("", "abc")).isFalse();
+	}
+
 	@Test
 	public void equalsWhenEmtpyAndEmptyThenTrue() {
 		assertThat(PasswordEncoderUtils.equals("", "")).isTrue();