tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Undefined behaviour with Credential Handler
Date Wed, 09 Sep 2015 20:18:49 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sryan,

On 9/9/15 12:50 PM, Sreyan Chakravarty wrote:
> Well I guess now its confirmed that it is a bug. Do you still need
> the code ?

No, I don't think I will.

However, since you wrote your own CredentialHandler, you could merely
patch it to check in the matches() method for null. Something like this:

    @Override
    public boolean matches(String inputCredentials,
                           String storedCredentials) {
        if(null == storedCredentials)
            return false;

        return matchesSaltIterationsEncoded(inputCredentials,
                                            storedCredentials);
    }

Then you can resume your testing.

- -chris

> On Wed, Sep 9, 2015 at 8:55 PM, Christopher Schultz < 
> chris@christopherschultz.net> wrote:
> 
> Sreyan,
> 
> On 9/8/15 6:31 AM, Sreyan Chakravarty wrote:
>>>> Okay is if I have stored my password in my DB with SHA256 
>>>> encryption, can the credential handler declared in the realm
>>>> work if the it is declared with SHA512 ?
> 
> No. SHA256 and SHA512 produce hashes of different sizes, so with
> the same input, they will always produce different outputs.
> 
> https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions
> 
>>>> As far as I know it must be same algorithm, salt and
>>>> iterations for the hash to be matched perfectly.
> 
> Correct.
> 
>>>> Now take my case-:
>>>> 
>>>> <CredentialHandler className = 
>>>> "org.apache.catalina.realm.SecretKeyCredentialHandler"
>>>> algorithm = "PBEWITHMD5ANDTRIPLEDES" />
>>>> 
>>>> Okay this my credential handler that I am using. In my DB
>>>> the password is stored using PBEWITHHMACSHA384ANDAES_256. A
>>>> completely different algorithm that the one specified before.
>>>> So how come when I put in my user-id and password on my
>>>> form-login page I am not getting an authentication error
>>>> instead I am being forwarded to the protected resource.
> 
> Perhaps PBEWITHMD5ANDTRIPLEDES and PBEWITHHMACSHA384ANDAES_256 are 
> somehow aliases of each other? Also, it's possible that your 
> implementation of the algorithm is flawed.
> 
> Try running the "mutate" method from a command-line driver on some 
> sample input to see what falls out.
> 
>>>> It should use the algorithm in the CredentialHandler to
>>>> mutate the password. Now don't tell me that two different
>>>> algorithms offer the same hash.
>>>> 
>>>> What is going on here ?
> 
> My guess is a bug in the CredentialHandler itself. Can you post
> some cod e?
> 
> -chris
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV8JQpAAoJEBzwKT+lPKRYBlQP/2dedJFcZSsAGF+0uxRGIPfr
vW26AOOaT/qPS88eQiCucufYOpPx180ifdIdnNVtLRZbIYyeQMBQiFTezMZM1Psx
2Ufuw1ZEPV0kZteptnDgGyipZKtDaxl/7hYY76O3yy8ki62Fa6TcRtR8UBPY0pJs
kVYw9ZWqVVq8smkDomYAA/wwtGUzXORB3RN5yKGtKPx7roV00cLAoKQTv4ZlxfM5
LMuuorMx9jnWI9JXTlQdxi9ydQ1IlALrv9igbXE1/cYCnLrHtJVrE+bzvL4XPy+1
C9H8UdWT8Mqdn4qSIi5Zp0JDkRffvjVj4WA7V3Yt2+7HqlcZjEFDdAtN//DJ9T4A
Zc/NJ73vXyEnFKt1S3mgqTIaGi7tr13VX8mXyFVSXzP/wvoQpCaOr0RYyIVvTdOc
r42X1j5gq3tKTV1Hxe73SoM9iJivFvq6VFq+zvzv3fdNyHt1TukwM3E7nxnd6cXr
euWj5IUc1+Z002xQBPKWjxAJFxsmd1cvM9A4zuhr70P2WcTsYSCbTn0ETB7Vtssb
Rr1ED6jf2MKE/JIU8G6YKU5yuLqAnSaJleHOyWz/N8X5fUN5q4sfeV174UluS1WU
+J017q60ZBrkEdzPB7bO/Jku1ThPHcFMbg5VfQQ+TTyN6AugQYfvasrvfBhu2wdL
3CMQ6Hf+ShnIB8aWI8zj
=Sxyr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message