Make timing attacks against the Realm implementations harder. (schultz)

git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.5.x/trunk@1758500 13f79535-47bb-0310-9956-ffa450edef68
apache · Aug 30, 2016 · d79c63d · d79c63d
1 parent f97769f
commit d79c63d
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 1 deletion.
diff --git a/java/org/apache/catalina/realm/DataSourceRealm.java b/java/org/apache/catalina/realm/DataSourceRealm.java
@@ -303,6 +303,8 @@ protected Principal authenticate(Connection dbConnection,
 
         if(dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure",

diff --git a/java/org/apache/catalina/realm/JDBCRealm.java b/java/org/apache/catalina/realm/JDBCRealm.java
@@ -384,6 +384,8 @@ public synchronized Principal authenticate(Connection dbConnection,
 
         if (dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",

diff --git a/java/org/apache/catalina/realm/MemoryRealm.java b/java/org/apache/catalina/realm/MemoryRealm.java
@@ -125,7 +125,9 @@ public Principal authenticate(String username, String credentials) {
         GenericPrincipal principal = principals.get(username);
 
         if(principal == null || principal.getPassword() == null) {
-            // User was not found in the database of the password was null
+            // User was not found in the database or the password was null
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (log.isDebugEnabled())
                 log.debug(sm.getString("memoryRealm.authenticateFailure", username));

diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
@@ -344,6 +344,8 @@ public Principal authenticate(String username, String credentials) {
 
         if (serverCredentials == null) {
             // User was not found
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled()) {
                 containerLog.trace(sm.getString("realmBase.authenticateFailure",

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -183,6 +183,9 @@
         of the web.xml file where specified or UTF-8 where no explicit encoding
         is specified. (markt)
       </fix>
+      <fix>
+        Make timing attacks against the Realm implementations harder. (schultz)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">