You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by rh...@apache.org on 2012/02/29 18:26:20 UTC

svn commit: r1295189 - in /db/derby/code/trunk/java: engine/org/apache/derby/impl/jdbc/authentication/ testing/org/apache/derbyTesting/functionTests/tests/lang/ testing/org/apache/derbyTesting/junit/

Author: rhillegas
Date: Wed Feb 29 17:26:20 2012
New Revision: 1295189

URL: http://svn.apache.org/viewvc?rev=1295189&view=rev
Log:
DERBY-866: Cleanup an NPE in NATIVE authentication and add some defensive code to frustrate blackhats.

Modified:
    db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/DriverManagerConnector.java

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java?rev=1295189&r1=1295188&r2=1295189&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java Wed Feb 29 17:26:20 2012
@@ -284,6 +284,7 @@ public final class NativeAuthenticationS
         try {
             // No "guest" user
             if ( userName == null ) { return false; }
+            if ( userPassword == null ) { return false; }
 
             //
             // We must handle these cases:
@@ -405,7 +406,7 @@ public final class NativeAuthenticationS
         }
         
         SQLWarning  warnings = null;
-        
+
         try {
             Properties  properties = new Properties();
             properties.setProperty( Attribute.USERNAME_ATTR, userName );
@@ -496,7 +497,20 @@ public final class NativeAuthenticationS
         DataDictionary      dd = (DataDictionary) Monitor.getServiceModule( this, DataDictionary.MODULE );        
         UserDescriptor      userDescriptor = dd.getUser( userName );
         
-        if ( userDescriptor == null )   { return false; }
+        if ( userDescriptor == null )
+        {
+            //
+            // Before returning, we pretend to evaluate the password.
+            // This helps prevent blackhats from discovering legal usernames
+            // by measuring how long password evaluation takes. For more context,
+            // see the 2012-02-22 comment on DERBY-5539.
+            //
+            PasswordHasher          hasher = dd.makePasswordHasher( getDatabaseProperties() );
+            
+            hasher.hashPasswordIntoString( userName, userPassword ).toCharArray();
+
+            return false;
+        }
         
         PasswordHasher      hasher = new PasswordHasher( userDescriptor.getHashingScheme() );
         char[]                     candidatePassword = hasher.hashPasswordIntoString( userName, userPassword ).toCharArray();
@@ -512,8 +526,8 @@ public final class NativeAuthenticationS
             }
         } finally
         {
-            Arrays.fill( candidatePassword, (char) 0 );
-            Arrays.fill( actualPassword, (char) 0 );
+            if ( candidatePassword != null ) { Arrays.fill( candidatePassword, (char) 0 ); }
+            if ( actualPassword != null ) { Arrays.fill( actualPassword, (char) 0 ); }
         }
 
         //

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java?rev=1295189&r1=1295188&r2=1295189&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java Wed Feb 29 17:26:20 2012
@@ -659,6 +659,9 @@ public class NativeAuthenticationService
         // create the credentials database
         Connection  sysadminConn = openConnection( CREDENTIALS_DB, DBO, true, null );
 
+        // null password should not generate NPE
+        getConnection( _nativeAuthentication, true, CREDENTIALS_DB, DBO, null, INVALID_AUTHENTICATION );
+
         // add another legal user
         addUser( sysadminConn, APPLE_USER );
         addUser( sysadminConn, BANANA_USER );
@@ -1240,12 +1243,18 @@ public class NativeAuthenticationService
         ( boolean shouldFail, boolean isLogicalName, String dbName, String user, String expectedSQLState )
         throws Exception
     {
+        return getConnection( shouldFail, isLogicalName, dbName, user, getPassword( user ), expectedSQLState );
+    }
+    private Connection  getConnection
+        ( boolean shouldFail, boolean isLogicalName, String dbName, String user, String password, String expectedSQLState )
+        throws Exception
+    {
         Connection  conn = null;
 
         reportConnectionAttempt( dbName, user, isLogicalName );
 
         try {
-            conn = openConnection( dbName, user, isLogicalName, null );
+            conn = openConnection( dbName, user, password, isLogicalName, null );
 
             if ( shouldFail )   { fail( tagError( "Connection to " + dbName + " should have failed." ) ); }
         }
@@ -1350,7 +1359,11 @@ public class NativeAuthenticationService
     private Connection  openConnection( String dbName, String user, boolean isLogicalName, Properties props )
         throws SQLException
     {
-        String  password = getPassword( user );
+        return openConnection( dbName, user, getPassword( user ), isLogicalName, props );
+    }
+    private Connection  openConnection( String dbName, String user, String password, boolean isLogicalName, Properties props )
+        throws SQLException
+    {
         if ( isLogicalName )
         {
             return getTestConfiguration().openConnection( dbName, user, password );

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/DriverManagerConnector.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/DriverManagerConnector.java?rev=1295189&r1=1295188&r2=1295189&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/DriverManagerConnector.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/DriverManagerConnector.java Wed Feb 29 17:26:20 2012
@@ -91,8 +91,8 @@ public class DriverManagerConnector impl
 
         Properties connectionAttributes =
                 new Properties(config.getConnectionAttributes());
-        connectionAttributes.setProperty("user", user);
-        connectionAttributes.setProperty("password", password);
+        if ( user != null ) { connectionAttributes.setProperty("user", user); }
+        if ( password  != null ) { connectionAttributes.setProperty("password", password); }
 
         if ( connectionProperties != null ) { connectionAttributes.putAll( connectionProperties ); }