Author: tilman
Date: Wed Apr 3 14:22:27 2024
New Revision: 1916786
URL: http://svn.apache.org/viewvc?rev=1916786&view=rev
Log:
PDFBOX-5798: use MessageDigest.isEqual() to prevent timing attacks
Modified:
pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java
Modified:
pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java
URL:
http://svn.apache.org/viewvc/pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java?rev=1916786&r1=1916785&r2=1916786&view=diff
==============================================================================
---
pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java
(original)
+++
pdfbox/branches/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java
Wed Apr 3 14:22:27 2024
@@ -607,7 +607,7 @@ public final class StandardSecurityHandl
hash = computeHash2A(truncatedOwnerPassword, oValidationSalt,
user);
}
- return Arrays.equals(hash, oHash);
+ return MessageDigest.isEqual(hash, oHash);
}
else
{
@@ -980,12 +980,12 @@ public final class StandardSecurityHandl
length, encryptMetadata);
if (encRevision == 2)
{
- return Arrays.equals(user, passwordBytes);
+ return MessageDigest.isEqual(user, passwordBytes);
}
else
{
// compare first 16 bytes only
- return Arrays.equals(Arrays.copyOf(user, 16),
Arrays.copyOf(passwordBytes, 16));
+ return MessageDigest.isEqual(Arrays.copyOf(user, 16),
Arrays.copyOf(passwordBytes, 16));
}
}
@@ -1007,7 +1007,7 @@ public final class StandardSecurityHandl
hash = computeHash2A(truncatedPassword, uValidationSalt, null);
}
- return Arrays.equals(hash, uHash);
+ return MessageDigest.isEqual(hash, uHash);
}
/**
