View | Details | Raw Unified | Return to bug 51966
Collapse All | Expand All

(-)orig/apache-tomcat-6.0.33-src/java/org/apache/catalina/realm/DataSourceRealm.java (-3 / +7 lines)
Lines 33-38 Link Here
33
import org.apache.catalina.LifecycleException;
33
import org.apache.catalina.LifecycleException;
34
import org.apache.catalina.ServerFactory;
34
import org.apache.catalina.ServerFactory;
35
import org.apache.catalina.core.StandardServer;
35
import org.apache.catalina.core.StandardServer;
36
import org.apache.catalina.util.HexUtils;
36
import org.apache.catalina.util.StringManager;
37
import org.apache.catalina.util.StringManager;
37
38
38
/**
39
/**
Lines 340-349 Link Here
340
        // Validate the user's credentials
341
        // Validate the user's credentials
341
        boolean validated = false;
342
        boolean validated = false;
342
        if (hasMessageDigest()) {
343
        if (hasMessageDigest()) {
343
            // Hex hashes should be compared case-insensitive
344
        	byte salt[] = null;
344
            validated = (digest(credentials).equalsIgnoreCase(dbCredentials));
345
        	if (digest.equals("ssha")) {
346
        		salt = HexUtils.convert(dbCredentials.substring(dbCredentials.length()-8)); // salt is last 4 bytes = 8 characters
347
        	}
348
            validated = dbCredentials.equalsIgnoreCase(digest(credentials,salt));
345
        } else
349
        } else
346
            validated = (digest(credentials).equals(dbCredentials));
350
            validated = (digest(credentials,null).equals(dbCredentials));
347
351
348
        if (validated) {
352
        if (validated) {
349
            if (containerLog.isTraceEnabled())
353
            if (containerLog.isTraceEnabled())
(-)orig/apache-tomcat-6.0.33-src/java/org/apache/catalina/realm/JAASCallbackHandler.java (-1 / +1 lines)
Lines 69-75 Link Here
69
        this.username = username;
69
        this.username = username;
70
70
71
        if (realm.hasMessageDigest()) {
71
        if (realm.hasMessageDigest()) {
72
            this.password = realm.digest(password);
72
            this.password = realm.digest(password,null);
73
        }
73
        }
74
        else {
74
        else {
75
            this.password = password;
75
            this.password = password;
(-)orig/apache-tomcat-6.0.33-src/java/org/apache/catalina/realm/JDBCRealm.java (-3 / +7 lines)
Lines 29-34 Link Here
29
import java.util.Properties;
29
import java.util.Properties;
30
30
31
import org.apache.catalina.LifecycleException;
31
import org.apache.catalina.LifecycleException;
32
import org.apache.catalina.util.HexUtils;
32
import org.apache.catalina.util.StringManager;
33
import org.apache.catalina.util.StringManager;
33
34
34
35
Lines 416-425 Link Here
416
        // Validate the user's credentials
417
        // Validate the user's credentials
417
        boolean validated = false;
418
        boolean validated = false;
418
        if (hasMessageDigest()) {
419
        if (hasMessageDigest()) {
419
            // Hex hashes should be compared case-insensitive
420
        	byte[] salt = null;
420
            validated = (digest(credentials).equalsIgnoreCase(dbCredentials));
421
        	if (digest.equals("ssha")) {
422
        		salt = HexUtils.convert(dbCredentials.substring(dbCredentials.length()-8)); // salt is last 4 bytes = 8 characters
423
        	}
424
            validated = dbCredentials.equalsIgnoreCase(digest(credentials,salt));
421
        } else {
425
        } else {
422
            validated = (digest(credentials).equals(dbCredentials));
426
            validated = (digest(credentials,null).equals(dbCredentials));
423
        }
427
        }
424
428
425
        if (validated) {
429
        if (validated) {
(-)orig/apache-tomcat-6.0.33-src/java/org/apache/catalina/realm/JNDIRealm.java (-2 / +2 lines)
Lines 1520-1529 Link Here
1520
                } // End synchronized(this) block
1520
                } // End synchronized(this) block
1521
            } else {
1521
            } else {
1522
                // Hex hashes should be compared case-insensitive
1522
                // Hex hashes should be compared case-insensitive
1523
                validated = (digest(credentials).equalsIgnoreCase(password));
1523
                validated = (digest(credentials,null).equalsIgnoreCase(password));
1524
            }
1524
            }
1525
        } else
1525
        } else
1526
            validated = (digest(credentials).equals(password));
1526
            validated = (digest(credentials,null).equals(password));
1527
        return (validated);
1527
        return (validated);
1528
1528
1529
    }
1529
    }
(-)orig/apache-tomcat-6.0.33-src/java/org/apache/catalina/realm/MemoryRealm.java (-3 / +8 lines)
Lines 25-30 Link Here
25
import java.util.HashMap;
25
import java.util.HashMap;
26
import java.util.Map;
26
import java.util.Map;
27
import org.apache.catalina.LifecycleException;
27
import org.apache.catalina.LifecycleException;
28
import org.apache.catalina.util.HexUtils;
28
import org.apache.catalina.util.StringManager;
29
import org.apache.catalina.util.StringManager;
29
import org.apache.juli.logging.Log;
30
import org.apache.juli.logging.Log;
30
import org.apache.juli.logging.LogFactory;
31
import org.apache.juli.logging.LogFactory;
Lines 150-161 Link Here
150
        boolean validated = false;
151
        boolean validated = false;
151
        if (principal != null && credentials != null) {
152
        if (principal != null && credentials != null) {
152
            if (hasMessageDigest()) {
153
            if (hasMessageDigest()) {
154
            	String serverCredentials = principal.getPassword();
155
            	byte[] salt = null;
156
            	if (digest.equals("ssha")) {
157
            		salt = HexUtils.convert(serverCredentials.substring(serverCredentials.length()-8)); // salt is last 4 bytes = 8 characters
158
            	}
159
                validated = serverCredentials.equalsIgnoreCase(digest(credentials,salt));
153
                // Hex hashes should be compared case-insensitive
160
                // Hex hashes should be compared case-insensitive
154
                validated = (digest(credentials)
155
                             .equalsIgnoreCase(principal.getPassword()));
156
            } else {
161
            } else {
157
                validated =
162
                validated =
158
                    (digest(credentials).equals(principal.getPassword()));
163
                    (digest(credentials,null).equals(principal.getPassword()));
159
            }
164
            }
160
        }
165
        }
161
166
(-)orig/apache-tomcat-6.0.33-src/java/org/apache/catalina/realm/RealmBase.java (-6 / +38 lines)
Lines 28-33 Link Here
28
import java.security.Principal;
28
import java.security.Principal;
29
import java.security.cert.X509Certificate;
29
import java.security.cert.X509Certificate;
30
import java.util.ArrayList;
30
import java.util.ArrayList;
31
import java.util.Random;
31
32
32
import javax.management.Attribute;
33
import javax.management.Attribute;
33
import javax.management.MBeanRegistration;
34
import javax.management.MBeanRegistration;
Lines 311-317 Link Here
311
        if ( serverCredentials == null ) {
312
        if ( serverCredentials == null ) {
312
            validated = false;
313
            validated = false;
313
        } else if(hasMessageDigest()) {
314
        } else if(hasMessageDigest()) {
314
            validated = serverCredentials.equalsIgnoreCase(digest(credentials));
315
        	byte[] salt = null;
316
        	if (digest.equals("ssha")) {
317
        		salt = HexUtils.convert(serverCredentials.substring(serverCredentials.length()-8)); // salt is last 4 bytes = 8 characters
318
        	}
319
            validated = serverCredentials.equalsIgnoreCase(digest(credentials,salt));
315
        } else {
320
        } else {
316
            validated = serverCredentials.equals(credentials);
321
            validated = serverCredentials.equals(credentials);
317
        }
322
        }
Lines 1052-1058 Link Here
1052
        // Create a MessageDigest instance for credentials, if desired
1057
        // Create a MessageDigest instance for credentials, if desired
1053
        if (digest != null) {
1058
        if (digest != null) {
1054
            try {
1059
            try {
1055
                md = MessageDigest.getInstance(digest);
1060
                md = MessageDigest.getInstance(digest.equals("ssha") ? "sha1" : digest);
1056
            } catch (NoSuchAlgorithmException e) {
1061
            } catch (NoSuchAlgorithmException e) {
1057
                throw new LifecycleException
1062
                throw new LifecycleException
1058
                    (sm.getString("realmBase.algorithm", digest), e);
1063
                    (sm.getString("realmBase.algorithm", digest), e);
Lines 1107-1122 Link Here
1107
1112
1108
    // ------------------------------------------------------ Protected Methods
1113
    // ------------------------------------------------------ Protected Methods
1109
1114
1115
    /**
1116
     * Digest the password using the specified algorithm and
1117
     * convert the result to a corresponding hexadecimal string.
1118
     * If exception, the plain credentials string is returned.
1119
     *
1120
     * @param credentials Password or other credentials to use in
1121
     *  authenticating this username
1122
     */
1123
    protected String digest(String credentials) {
1124
    	return digest(credentials,null);
1125
    }
1110
1126
1111
    /**
1127
    /**
1112
     * Digest the password using the specified algorithm and
1128
     * Digest the password using the specified algorithm and
1113
     * convert the result to a corresponding hexadecimal string.
1129
     * convert the result to a corresponding hexadecimal string.
1114
     * If exception, the plain credentials string is returned.
1130
     * If exception, the plain credentials string is returned.
1131
     * If salt is not-null, the message digest is updated with
1132
     * that salt and it is appended to the string
1115
     *
1133
     *
1116
     * @param credentials Password or other credentials to use in
1134
     * @param credentials Password or other credentials to use in
1117
     *  authenticating this username
1135
     *  authenticating this username
1118
     */
1136
     */
1119
    protected String digest(String credentials)  {
1137
    protected String digest(String credentials,byte[] salt)  {
1120
1138
1121
        // If no MessageDigest instance is specified, return unchanged
1139
        // If no MessageDigest instance is specified, return unchanged
1122
        if (hasMessageDigest() == false)
1140
        if (hasMessageDigest() == false)
Lines 1139-1144 Link Here
1139
                    }
1157
                    }
1140
                }
1158
                }
1141
                md.update(bytes);
1159
                md.update(bytes);
1160
                if (salt != null) {
1161
                	md.update(salt);
1162
                    return (HexUtils.convert(md.digest())) + HexUtils.convert(salt);
1163
                }
1142
1164
1143
                return (HexUtils.convert(md.digest()));
1165
                return (HexUtils.convert(md.digest()));
1144
            } catch (Exception e) {
1166
            } catch (Exception e) {
Lines 1242-1248 Link Here
1242
        try {
1264
        try {
1243
            // Obtain a new message digest with "digest" encryption
1265
            // Obtain a new message digest with "digest" encryption
1244
            MessageDigest md =
1266
            MessageDigest md =
1245
                (MessageDigest) MessageDigest.getInstance(algorithm).clone();
1267
                (MessageDigest) MessageDigest.getInstance(algorithm.equals("ssha") ? "sha1" : algorithm).clone();
1246
1268
1247
            // encode the credentials
1269
            // encode the credentials
1248
            // Should use the digestEncoding, but that's not a static field
1270
            // Should use the digestEncoding, but that's not a static field
Lines 1251-1259 Link Here
1251
            } else {
1273
            } else {
1252
                md.update(credentials.getBytes(encoding));                
1274
                md.update(credentials.getBytes(encoding));                
1253
            }
1275
            }
1276
            if (algorithm.equals("ssha")) {
1277
            	Random r = new Random();
1278
            	byte[] salt = new byte[4];
1279
            	for(int i = 0; i < salt.length; i++) {
1280
            		salt[i] = (byte)r.nextInt(256);
1281
            	}
1254
1282
1255
            // Digest the credentials and return as hexadecimal
1283
            	md.update(salt);
1256
            return (HexUtils.convert(md.digest()));
1284
            	return (HexUtils.convert(md.digest())) + HexUtils.convert(salt);
1285
            } else {
1286
            	// Digest the credentials and return as hexadecimal
1287
            	return (HexUtils.convert(md.digest()));
1288
            }
1257
        } catch(Exception ex) {
1289
        } catch(Exception ex) {
1258
            log.error(ex);
1290
            log.error(ex);
1259
            return credentials;
1291
            return credentials;

Return to bug 51966