Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 15084 invoked from network); 4 Jan 2005 16:56:46 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 4 Jan 2005 16:56:46 -0000 Received: (qmail 42563 invoked by uid 500); 4 Jan 2005 16:52:30 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 42371 invoked by uid 500); 4 Jan 2005 16:52:27 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 42261 invoked by uid 99); 4 Jan 2005 16:52:25 -0000 X-ASF-Spam-Status: No, hits=0.2 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received: from ajax-1.apache.org (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 04 Jan 2005 08:52:15 -0800 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (8.12.11/8.12.11) with ESMTP id j04Gq4dG002032 for ; Tue, 4 Jan 2005 17:52:04 +0100 Received: (from nobody@localhost) by ajax.apache.org (8.12.11/8.12.11/Submit) id j04Gq40g002027; Tue, 4 Jan 2005 17:52:04 +0100 Date: Tue, 4 Jan 2005 17:52:04 +0100 Message-Id: <200501041652.j04Gq40g002027@ajax.apache.org> From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Subject: DO NOT REPLY [Bug 32938] New: - SSHA passwords in JNDIRealm X-Bugzilla-Reason: AssignedTo X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32938 Summary: SSHA passwords in JNDIRealm Product: Tomcat 5 Version: 5.5.4 Platform: All OS/Version: All Status: NEW Keywords: PatchAvailable Severity: enhancement Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: Andrew_Polozov@yahoo.com Current implementation of JNDIRealm does not support "Salted" SHA passwords. So, if the password was set by iPlaned Admin server - it can't be verified by JNDIRealm. Here is the patch to make it work. *** orig/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java Tue Jan 4 11:34:07 2005 --- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java Tue Jan 4 11:16:54 2005 *************** import javax.naming.directory.SearchCont *** 43,48 **** --- 43,50 ---- import javax.naming.directory.SearchResult; import org.apache.catalina.LifecycleException; import org.apache.catalina.util.Base64; + import org.apache.tomcat.util.buf.ByteChunk; + import org.apache.tomcat.util.buf.CharChunk; /** *************** public class JNDIRealm extends RealmBase *** 1191,1196 **** --- 1193,1231 ---- new String(Base64.encode(md.digest())); validated = password.equals(digestedPassword); } + } else if (password.startsWith("{SSHA}")) { + /* sync since super.digest() does this same thing */ + synchronized (this) { + password = password.substring(6); + + md.reset(); + md.update(credentials.getBytes()); + //Decode stored password. + ByteChunk pwbc = new ByteChunk(password.length()); + try { + pwbc.append(password.getBytes(), 0, password.length()); + } catch (java.io.IOException e) { + e.printStackTrace(); //Hopefully will never happen. + } + CharChunk decoded = new CharChunk(); + Base64.decode(pwbc, decoded); + char[] pwarray = decoded.getBuffer(); + // Split decoded password into hash and salt. + final int saltpos = 20; + byte[] hash = new byte[saltpos]; + for (int i=0; i< hash.length; i++) + hash[i] = (byte)pwarray[i]; + + byte[] salt = new byte[pwarray.length - saltpos]; + for (int i=0; i< salt.length; i++) + salt[i] = (byte)pwarray[i+saltpos]; + + md.update(salt); + + byte[] dp = md.digest(); + + validated = java.util.Arrays.equals(dp, hash); + } } else { // Hex hashes should be compared case-insensitive validated = (digest(credentials).equalsIgnoreCase(password)); *************** public class JNDIRealm extends RealmBase *** 1202,1208 **** } - /** * Check credentials by binding to the directory as the user * --- 1237,1242 ---- -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org