You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pdfbox.apache.org by ti...@apache.org on 2024/04/03 14:22:27 UTC

svn commit: r1916786 - /pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java

Author: tilman
Date: Wed Apr  3 14:22:27 2024
New Revision: 1916786

URL: http://svn.apache.org/viewvc?rev=1916786&view=rev
Log:
PDFBOX-5798: use MessageDigest.isEqual() to prevent timing attacks

Modified:
    pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java

Modified: pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java
URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java?rev=1916786&r1=1916785&r2=1916786&view=diff
==============================================================================
--- pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java (original)
+++ pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java Wed Apr  3 14:22:27 2024
@@ -607,7 +607,7 @@ public final class StandardSecurityHandl
                 hash = computeHash2A(truncatedOwnerPassword, oValidationSalt, user);
             }
 
-            return Arrays.equals(hash, oHash);
+            return MessageDigest.isEqual(hash, oHash);
         }
         else
         {
@@ -980,12 +980,12 @@ public final class StandardSecurityHandl
                                                    length, encryptMetadata);
         if (encRevision == 2)
         {
-            return Arrays.equals(user, passwordBytes);
+            return MessageDigest.isEqual(user, passwordBytes);
         }
         else
         {
             // compare first 16 bytes only
-            return Arrays.equals(Arrays.copyOf(user, 16), Arrays.copyOf(passwordBytes, 16));
+            return MessageDigest.isEqual(Arrays.copyOf(user, 16), Arrays.copyOf(passwordBytes, 16));
         }
     }
 
@@ -1007,7 +1007,7 @@ public final class StandardSecurityHandl
             hash = computeHash2A(truncatedPassword, uValidationSalt, null);
         }
 
-        return Arrays.equals(hash, uHash);
+        return MessageDigest.isEqual(hash, uHash);
     }
 
     /**