tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 32938] New: - SSHA passwords in JNDIRealm
Date Tue, 04 Jan 2005 16:52:04 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=32938>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=32938

           Summary: SSHA passwords in JNDIRealm
           Product: Tomcat 5
           Version: 5.5.4
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: enhancement
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: Andrew_Polozov@yahoo.com


Current implementation of JNDIRealm does not support "Salted" SHA passwords.
So, if the password was set by iPlaned Admin server - it can't be verified by
JNDIRealm.
Here is the patch to make it work.

*** orig/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java	Tue Jan  4
11:34:07 2005
---
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java
Tue Jan  4 11:16:54 2005
*************** import javax.naming.directory.SearchCont
*** 43,48 ****
--- 43,50 ----
  import javax.naming.directory.SearchResult;
  import org.apache.catalina.LifecycleException;
  import org.apache.catalina.util.Base64;
+ import org.apache.tomcat.util.buf.ByteChunk;
+ import org.apache.tomcat.util.buf.CharChunk;
  
  
  /**
*************** public class JNDIRealm extends RealmBase
*** 1191,1196 ****
--- 1193,1231 ----
                          new String(Base64.encode(md.digest()));
                      validated = password.equals(digestedPassword);
                  }
+             } else if (password.startsWith("{SSHA}")) {
+                 /* sync since super.digest() does this same thing */
+                 synchronized (this) {
+                     password = password.substring(6);
+ 
+                     md.reset();
+                     md.update(credentials.getBytes());
+ 					//Decode stored password.
+                     ByteChunk pwbc = new ByteChunk(password.length());
+                     try {
+                         pwbc.append(password.getBytes(), 0, password.length());
+                     } catch (java.io.IOException e) {
+                         e.printStackTrace(); //Hopefully will never happen.
+                     }
+                     CharChunk decoded = new CharChunk();
+                     Base64.decode(pwbc, decoded);
+                     char[] pwarray = decoded.getBuffer();
+                     // Split decoded password into hash and salt.
+                     final int saltpos = 20;
+                     byte[] hash = new byte[saltpos];
+                     for (int i=0; i< hash.length; i++)
+                         hash[i] = (byte)pwarray[i];
+ 
+                     byte[] salt = new byte[pwarray.length - saltpos];
+                     for (int i=0; i< salt.length; i++)
+                         salt[i] = (byte)pwarray[i+saltpos];
+ 
+                     md.update(salt);
+                     
+                     byte[] dp = md.digest();
+ 
+                     validated = java.util.Arrays.equals(dp, hash);
+                 }
              } else {
                  // Hex hashes should be compared case-insensitive
                  validated = (digest(credentials).equalsIgnoreCase(password));
*************** public class JNDIRealm extends RealmBase
*** 1202,1208 ****
      }
  
  
- 
      /**
       * Check credentials by binding to the directory as the user
       *
--- 1237,1242 ----

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message