You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by rh...@apache.org on 2012/02/29 18:26:20 UTC
svn commit: r1295189 - in /db/derby/code/trunk/java:
engine/org/apache/derby/impl/jdbc/authentication/
testing/org/apache/derbyTesting/functionTests/tests/lang/
testing/org/apache/derbyTesting/junit/
Author: rhillegas
Date: Wed Feb 29 17:26:20 2012
New Revision: 1295189
URL: http://svn.apache.org/viewvc?rev=1295189&view=rev
Log:
DERBY-866: Cleanup an NPE in NATIVE authentication and add some defensive code to frustrate blackhats.
Modified:
db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/DriverManagerConnector.java
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java?rev=1295189&r1=1295188&r2=1295189&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java Wed Feb 29 17:26:20 2012
@@ -284,6 +284,7 @@ public final class NativeAuthenticationS
try {
// No "guest" user
if ( userName == null ) { return false; }
+ if ( userPassword == null ) { return false; }
//
// We must handle these cases:
@@ -405,7 +406,7 @@ public final class NativeAuthenticationS
}
SQLWarning warnings = null;
-
+
try {
Properties properties = new Properties();
properties.setProperty( Attribute.USERNAME_ATTR, userName );
@@ -496,7 +497,20 @@ public final class NativeAuthenticationS
DataDictionary dd = (DataDictionary) Monitor.getServiceModule( this, DataDictionary.MODULE );
UserDescriptor userDescriptor = dd.getUser( userName );
- if ( userDescriptor == null ) { return false; }
+ if ( userDescriptor == null )
+ {
+ //
+ // Before returning, we pretend to evaluate the password.
+ // This helps prevent blackhats from discovering legal usernames
+ // by measuring how long password evaluation takes. For more context,
+ // see the 2012-02-22 comment on DERBY-5539.
+ //
+ PasswordHasher hasher = dd.makePasswordHasher( getDatabaseProperties() );
+
+ hasher.hashPasswordIntoString( userName, userPassword ).toCharArray();
+
+ return false;
+ }
PasswordHasher hasher = new PasswordHasher( userDescriptor.getHashingScheme() );
char[] candidatePassword = hasher.hashPasswordIntoString( userName, userPassword ).toCharArray();
@@ -512,8 +526,8 @@ public final class NativeAuthenticationS
}
} finally
{
- Arrays.fill( candidatePassword, (char) 0 );
- Arrays.fill( actualPassword, (char) 0 );
+ if ( candidatePassword != null ) { Arrays.fill( candidatePassword, (char) 0 ); }
+ if ( actualPassword != null ) { Arrays.fill( actualPassword, (char) 0 ); }
}
//
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java?rev=1295189&r1=1295188&r2=1295189&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java Wed Feb 29 17:26:20 2012
@@ -659,6 +659,9 @@ public class NativeAuthenticationService
// create the credentials database
Connection sysadminConn = openConnection( CREDENTIALS_DB, DBO, true, null );
+ // null password should not generate NPE
+ getConnection( _nativeAuthentication, true, CREDENTIALS_DB, DBO, null, INVALID_AUTHENTICATION );
+
// add another legal user
addUser( sysadminConn, APPLE_USER );
addUser( sysadminConn, BANANA_USER );
@@ -1240,12 +1243,18 @@ public class NativeAuthenticationService
( boolean shouldFail, boolean isLogicalName, String dbName, String user, String expectedSQLState )
throws Exception
{
+ return getConnection( shouldFail, isLogicalName, dbName, user, getPassword( user ), expectedSQLState );
+ }
+ private Connection getConnection
+ ( boolean shouldFail, boolean isLogicalName, String dbName, String user, String password, String expectedSQLState )
+ throws Exception
+ {
Connection conn = null;
reportConnectionAttempt( dbName, user, isLogicalName );
try {
- conn = openConnection( dbName, user, isLogicalName, null );
+ conn = openConnection( dbName, user, password, isLogicalName, null );
if ( shouldFail ) { fail( tagError( "Connection to " + dbName + " should have failed." ) ); }
}
@@ -1350,7 +1359,11 @@ public class NativeAuthenticationService
private Connection openConnection( String dbName, String user, boolean isLogicalName, Properties props )
throws SQLException
{
- String password = getPassword( user );
+ return openConnection( dbName, user, getPassword( user ), isLogicalName, props );
+ }
+ private Connection openConnection( String dbName, String user, String password, boolean isLogicalName, Properties props )
+ throws SQLException
+ {
if ( isLogicalName )
{
return getTestConfiguration().openConnection( dbName, user, password );
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/DriverManagerConnector.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/DriverManagerConnector.java?rev=1295189&r1=1295188&r2=1295189&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/DriverManagerConnector.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/DriverManagerConnector.java Wed Feb 29 17:26:20 2012
@@ -91,8 +91,8 @@ public class DriverManagerConnector impl
Properties connectionAttributes =
new Properties(config.getConnectionAttributes());
- connectionAttributes.setProperty("user", user);
- connectionAttributes.setProperty("password", password);
+ if ( user != null ) { connectionAttributes.setProperty("user", user); }
+ if ( password != null ) { connectionAttributes.setProperty("password", password); }
if ( connectionProperties != null ) { connectionAttributes.putAll( connectionProperties ); }