You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by ti...@apache.org on 2024/04/03 14:22:27 UTC
svn commit: r1916786 - /pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java
Author: tilman
Date: Wed Apr 3 14:22:27 2024
New Revision: 1916786
URL: http://svn.apache.org/viewvc?rev=1916786&view=rev
Log:
PDFBOX-5798: use MessageDigest.isEqual() to prevent timing attacks
Modified:
pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java
Modified: pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java
URL: http://svn.apache.org/viewvc/pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java?rev=1916786&r1=1916785&r2=1916786&view=diff
==============================================================================
--- pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java (original)
+++ pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java Wed Apr 3 14:22:27 2024
@@ -607,7 +607,7 @@ public final class StandardSecurityHandl
hash = computeHash2A(truncatedOwnerPassword, oValidationSalt, user);
}
- return Arrays.equals(hash, oHash);
+ return MessageDigest.isEqual(hash, oHash);
}
else
{
@@ -980,12 +980,12 @@ public final class StandardSecurityHandl
length, encryptMetadata);
if (encRevision == 2)
{
- return Arrays.equals(user, passwordBytes);
+ return MessageDigest.isEqual(user, passwordBytes);
}
else
{
// compare first 16 bytes only
- return Arrays.equals(Arrays.copyOf(user, 16), Arrays.copyOf(passwordBytes, 16));
+ return MessageDigest.isEqual(Arrays.copyOf(user, 16), Arrays.copyOf(passwordBytes, 16));
}
}
@@ -1007,7 +1007,7 @@ public final class StandardSecurityHandl
hash = computeHash2A(truncatedPassword, uValidationSalt, null);
}
- return Arrays.equals(hash, uHash);
+ return MessageDigest.isEqual(hash, uHash);
}
/**