You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ka...@apache.org on 2010/03/18 13:27:33 UTC

svn commit: r924746 - in /db/derby/code/trunk/java: client/org/apache/derby/client/am/EncryptionManager.java drda/org/apache/derby/impl/drda/DRDAConnThread.java engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java

Author: kahatlen
Date: Thu Mar 18 12:27:32 2010
New Revision: 924746

URL: http://svn.apache.org/viewvc?rev=924746&view=rev
Log:
DERBY-4483: Provide a way to change the hash algorithm used by BUILTIN authentication

Added more comments about the incompatibility between the configurable
hash scheme and strong password substitution.

Changed a symbol that still referred to the SHA-1 based authentication
scheme as the new scheme.

Modified:
    db/derby/code/trunk/java/client/org/apache/derby/client/am/EncryptionManager.java
    db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DRDAConnThread.java
    db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java

Modified: db/derby/code/trunk/java/client/org/apache/derby/client/am/EncryptionManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/client/org/apache/derby/client/am/EncryptionManager.java?rev=924746&r1=924745&r2=924746&view=diff
==============================================================================
--- db/derby/code/trunk/java/client/org/apache/derby/client/am/EncryptionManager.java (original)
+++ db/derby/code/trunk/java/client/org/apache/derby/client/am/EncryptionManager.java Thu Mar 18 12:27:32 2010
@@ -525,7 +525,7 @@ public class EncryptionManager {
     /**
      * Strong Password Substitution (USRSSBPWD).
      *
-     * This method generate a password subtitute to send to the target
+     * This method generates a password substitute to send to the target
      * server.
      * 
      * Substitution algorithm works as follow:
@@ -587,6 +587,15 @@ public class EncryptionManager {
         //
         // Encrypt the password as it is done by the derby engine - Note that
         // this code (logic) is not shared yet - will be in next revision.
+        //
+        // Note that this code assumes that the Derby engine has encrypted
+        // the password using one particular algorithm (based on SHA-1). After
+        // DERBY-4483, it is possible that the engine uses another algorithm.
+        // Since the engine has no way to decrypt the encrypted password, it
+        // has no way to compared the stored password with the hash we send, so
+        // authentication will fail unless the engine actually uses the SHA-1
+        // based scheme.
+
         messageDigest.reset();
 
 		messageDigest.update(this.toHexByte(password, 0, password.length()));

Modified: db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DRDAConnThread.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DRDAConnThread.java?rev=924746&r1=924745&r2=924746&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DRDAConnThread.java (original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DRDAConnThread.java Thu Mar 18 12:27:32 2010
@@ -8464,6 +8464,8 @@ class DRDAConnThread extends Thread {
      *	SECMEC_USRSSBPWD is ONLY supported by the target server if:
      *	    - current authentication provider is Derby BUILTIN or
      *	      NONE. (database / system level) (Phase I)
+     *      - database-level password must have been encrypted with the
+     *        SHA-1 based authentication scheme
      *		- Application requester is 'DNC' (Derby Network Client)
      *		  (Phase I)
      *

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java?rev=924746&r1=924745&r2=924746&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java Thu Mar 18 12:27:32 2010
@@ -594,7 +594,7 @@ public abstract class AuthenticationServ
     /**
      * Strong Password Substitution (USRSSBPWD).
      *
-     * This method generate a password subtitute to authenticate a client
+     * This method generates a password substitute to authenticate a client
      * which is using a DRDA security mechanism such as SECMEC_USRSSBPWD.
      *
      * Depending how the user is defined in Derby and if BUILTIN
@@ -605,6 +605,17 @@ public abstract class AuthenticationServ
      * generate a substitute password coming from the store to compare with
      * the one passed-in.
      *
+     * The substitution algorithm used is the same as the one used in the
+     * SHA-1 authentication scheme ({@link #ID_PATTERN_SHA1_SCHEME}), so in
+     * the case of database passwords stored using that scheme, we can simply
+     * compare the received hash with the stored hash. If the configurable
+     * hash authentication scheme {@link #ID_PATTERN_CONFIGURABLE_HASH_SCHEME}
+     * is used, we have no way to find out if the received hash matches the
+     * stored password, since we cannot decrypt the hashed passwords and
+     * re-apply another hash algorithm. Therefore, strong password substitution
+     * only works if the database-level passwords are stored with the SHA-1
+     * scheme.
+     *
      * NOTE: A lot of this logic could be shared with the DRDA decryption
      *       and client encryption managers - This will be done _once_
      *       code sharing along with its rules are defined between the
@@ -633,9 +644,6 @@ public abstract class AuthenticationServ
 
         MessageDigest messageDigest = null;
 
-        // Pattern that is prefixed to the BUILTIN encrypted password
-        String ID_PATTERN_NEW_SCHEME = "3b60";
-
         // PWSEQs's 8-byte value constant - See DRDA Vol 3
         byte SECMEC_USRSSBPWD_PWDSEQS[] = {
                 (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
@@ -694,12 +702,21 @@ public abstract class AuthenticationServ
             bytePasswd = StringUtil.toHexByte(password, 0, password.length());
             messageDigest.update(bytePasswd);
             byte[] encryptVal = messageDigest.digest();
-            hexString = ID_PATTERN_NEW_SCHEME +
+            hexString = ID_PATTERN_SHA1_SCHEME +
                 StringUtil.toHexString(encryptVal, 0, encryptVal.length);
         }
         else
+        {
             // Already encrypted from the database store
+            // NOTE: If the password was stored with the configurable hash
+            // authentication scheme, the stored password will have been hashed
+            // with a different algorithm than the hashed password sent from
+            // the client. Since there's no way to decrypt the stored password
+            // and rehash it with the algorithm that the client uses, we are
+            // not able to compare the passwords, and the connection attempt
+            // will fail.
             hexString = password;
+        }
 
         // Generate the password substitute now