You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ka...@apache.org on 2010/03/18 13:27:33 UTC
svn commit: r924746 - in /db/derby/code/trunk/java:
client/org/apache/derby/client/am/EncryptionManager.java
drda/org/apache/derby/impl/drda/DRDAConnThread.java
engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java
Author: kahatlen
Date: Thu Mar 18 12:27:32 2010
New Revision: 924746
URL: http://svn.apache.org/viewvc?rev=924746&view=rev
Log:
DERBY-4483: Provide a way to change the hash algorithm used by BUILTIN authentication
Added more comments about the incompatibility between the configurable
hash scheme and strong password substitution.
Changed a symbol that still referred to the SHA-1 based authentication
scheme as the new scheme.
Modified:
db/derby/code/trunk/java/client/org/apache/derby/client/am/EncryptionManager.java
db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DRDAConnThread.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java
Modified: db/derby/code/trunk/java/client/org/apache/derby/client/am/EncryptionManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/client/org/apache/derby/client/am/EncryptionManager.java?rev=924746&r1=924745&r2=924746&view=diff
==============================================================================
--- db/derby/code/trunk/java/client/org/apache/derby/client/am/EncryptionManager.java (original)
+++ db/derby/code/trunk/java/client/org/apache/derby/client/am/EncryptionManager.java Thu Mar 18 12:27:32 2010
@@ -525,7 +525,7 @@ public class EncryptionManager {
/**
* Strong Password Substitution (USRSSBPWD).
*
- * This method generate a password subtitute to send to the target
+ * This method generates a password substitute to send to the target
* server.
*
* Substitution algorithm works as follow:
@@ -587,6 +587,15 @@ public class EncryptionManager {
//
// Encrypt the password as it is done by the derby engine - Note that
// this code (logic) is not shared yet - will be in next revision.
+ //
+ // Note that this code assumes that the Derby engine has encrypted
+ // the password using one particular algorithm (based on SHA-1). After
+ // DERBY-4483, it is possible that the engine uses another algorithm.
+ // Since the engine has no way to decrypt the encrypted password, it
+ // has no way to compared the stored password with the hash we send, so
+ // authentication will fail unless the engine actually uses the SHA-1
+ // based scheme.
+
messageDigest.reset();
messageDigest.update(this.toHexByte(password, 0, password.length()));
Modified: db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DRDAConnThread.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DRDAConnThread.java?rev=924746&r1=924745&r2=924746&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DRDAConnThread.java (original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DRDAConnThread.java Thu Mar 18 12:27:32 2010
@@ -8464,6 +8464,8 @@ class DRDAConnThread extends Thread {
* SECMEC_USRSSBPWD is ONLY supported by the target server if:
* - current authentication provider is Derby BUILTIN or
* NONE. (database / system level) (Phase I)
+ * - database-level password must have been encrypted with the
+ * SHA-1 based authentication scheme
* - Application requester is 'DNC' (Derby Network Client)
* (Phase I)
*
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java?rev=924746&r1=924745&r2=924746&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java Thu Mar 18 12:27:32 2010
@@ -594,7 +594,7 @@ public abstract class AuthenticationServ
/**
* Strong Password Substitution (USRSSBPWD).
*
- * This method generate a password subtitute to authenticate a client
+ * This method generates a password substitute to authenticate a client
* which is using a DRDA security mechanism such as SECMEC_USRSSBPWD.
*
* Depending how the user is defined in Derby and if BUILTIN
@@ -605,6 +605,17 @@ public abstract class AuthenticationServ
* generate a substitute password coming from the store to compare with
* the one passed-in.
*
+ * The substitution algorithm used is the same as the one used in the
+ * SHA-1 authentication scheme ({@link #ID_PATTERN_SHA1_SCHEME}), so in
+ * the case of database passwords stored using that scheme, we can simply
+ * compare the received hash with the stored hash. If the configurable
+ * hash authentication scheme {@link #ID_PATTERN_CONFIGURABLE_HASH_SCHEME}
+ * is used, we have no way to find out if the received hash matches the
+ * stored password, since we cannot decrypt the hashed passwords and
+ * re-apply another hash algorithm. Therefore, strong password substitution
+ * only works if the database-level passwords are stored with the SHA-1
+ * scheme.
+ *
* NOTE: A lot of this logic could be shared with the DRDA decryption
* and client encryption managers - This will be done _once_
* code sharing along with its rules are defined between the
@@ -633,9 +644,6 @@ public abstract class AuthenticationServ
MessageDigest messageDigest = null;
- // Pattern that is prefixed to the BUILTIN encrypted password
- String ID_PATTERN_NEW_SCHEME = "3b60";
-
// PWSEQs's 8-byte value constant - See DRDA Vol 3
byte SECMEC_USRSSBPWD_PWDSEQS[] = {
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
@@ -694,12 +702,21 @@ public abstract class AuthenticationServ
bytePasswd = StringUtil.toHexByte(password, 0, password.length());
messageDigest.update(bytePasswd);
byte[] encryptVal = messageDigest.digest();
- hexString = ID_PATTERN_NEW_SCHEME +
+ hexString = ID_PATTERN_SHA1_SCHEME +
StringUtil.toHexString(encryptVal, 0, encryptVal.length);
}
else
+ {
// Already encrypted from the database store
+ // NOTE: If the password was stored with the configurable hash
+ // authentication scheme, the stored password will have been hashed
+ // with a different algorithm than the hashed password sent from
+ // the client. Since there's no way to decrypt the stored password
+ // and rehash it with the algorithm that the client uses, we are
+ // not able to compare the passwords, and the connection attempt
+ // will fail.
hexString = password;
+ }
// Generate the password substitute now