svn commit: r1758506 - in /tomcat/tc6.0.x/trunk: java/org/apache/catalina/realm/MemoryRealm.java java/org/apache/catalina/realm/RealmBase.java webapps/docs/changelog.xml

[markt]

Author: markt
Date: Tue Aug 30 23:33:05 2016
New Revision: 1758506

URL: http://svn.apache.org/viewvc?rev=1758506&view=rev
Log:
Make timing attacks against the Realm implementations harder. (schultz/markt)

Modified:
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/MemoryRealm.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/MemoryRealm.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/MemoryRealm.java?rev=1758506&r1=1758505&r2=1758506&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/MemoryRealm.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/MemoryRealm.java Tue 
Aug 30 23:33:05 2016
@@ -142,23 +142,29 @@ public class MemoryRealm  extends RealmB
      * @param credentials Password or other credentials to use in
      *  authenticating this username
      */
+    @Override
     public Principal authenticate(String username, String credentials) {
 
-        GenericPrincipal principal =
-            (GenericPrincipal) principals.get(username);
+        // No user or no credentials
+        // Can't possibly authenticate, don't bother the database then
+        if (username == null || credentials == null) {
+            return null;
+        }
+        
+        GenericPrincipal principal = principals.get(username);
 
         boolean validated = false;
-        if (principal != null && credentials != null) {
-            if (hasMessageDigest()) {
-                // Hex hashes should be compared case-insensitive
-                validated = (digest(credentials)
-                             .equalsIgnoreCase(principal.getPassword()));
-            } else {
-                validated =
-                    (digest(credentials).equals(principal.getPassword()));
-            }
+        String dbCredentials = null;
+        if (principal != null) {
+            dbCredentials = principal.getPassword();
         }
-
+        if (hasMessageDigest()) {
+            // Hex hashes should be compared case-insensitive
+            validated = (digest(credentials).equalsIgnoreCase(dbCredentials));
+        } else {
+            validated = (digest(credentials).equals(dbCredentials));
+        }
+    
         if (validated) {
             if (log.isDebugEnabled())
                 log.debug(sm.getString("memoryRealm.authenticateSuccess", 
username));

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1758506&r1=1758505&r2=1758506&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java Tue Aug 
30 23:33:05 2016
@@ -336,15 +336,19 @@ public abstract class RealmBase
      */
     public Principal authenticate(String username, String credentials) {
 
+        // No user or no credentials
+        // Can't possibly authenticate, don't bother the database then
+        if (username == null || credentials == null) {
+            return null;
+        }
+
         String serverCredentials = getPassword(username);
 
         boolean validated ;
-        if ( serverCredentials == null ) {
-            validated = false;
-        } else if(hasMessageDigest()) {
-            validated = 
serverCredentials.equalsIgnoreCase(digest(credentials));
+        if(hasMessageDigest()) {
+            validated = 
digest(credentials).equalsIgnoreCase(serverCredentials);
         } else {
-            validated = serverCredentials.equals(credentials);
+            validated = credentials.equals(serverCredentials);
         }
         if(! validated ) {
             if (containerLog.isTraceEnabled()) {

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1758506&r1=1758505&r2=1758506&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Tue Aug 30 23:33:05 2016
@@ -137,6 +137,10 @@
         that the global resource is only visible via the
         <code>ResourceLinkFactory</code> when it is meant to be. (markt)
       </add>
+      <fix>
+        Make timing attacks against the Realm implementations harder.
+        (schultz/markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org