From d79c63d424fe6b225678416343b9ce106dec947c Mon Sep 17 00:00:00 2001 From: Mark Thomas Date: Tue, 30 Aug 2016 22:56:03 +0000 Subject: [PATCH] Make timing attacks against the Realm implementations harder. (schultz) git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.5.x/trunk@1758500 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/catalina/realm/DataSourceRealm.java | 2 ++ java/org/apache/catalina/realm/JDBCRealm.java | 2 ++ java/org/apache/catalina/realm/MemoryRealm.java | 4 +++- java/org/apache/catalina/realm/RealmBase.java | 2 ++ webapps/docs/changelog.xml | 3 +++ 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/realm/DataSourceRealm.java b/java/org/apache/catalina/realm/DataSourceRealm.java index d5ac10a74361..8eb9e12aac67 100644 --- a/java/org/apache/catalina/realm/DataSourceRealm.java +++ b/java/org/apache/catalina/realm/DataSourceRealm.java @@ -303,6 +303,8 @@ protected Principal authenticate(Connection dbConnection, if(dbCredentials == null) { // User was not found in the database. + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); if (containerLog.isTraceEnabled()) containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure", diff --git a/java/org/apache/catalina/realm/JDBCRealm.java b/java/org/apache/catalina/realm/JDBCRealm.java index fc93598352f4..cff5411150cb 100644 --- a/java/org/apache/catalina/realm/JDBCRealm.java +++ b/java/org/apache/catalina/realm/JDBCRealm.java @@ -384,6 +384,8 @@ public synchronized Principal authenticate(Connection dbConnection, if (dbCredentials == null) { // User was not found in the database. + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); if (containerLog.isTraceEnabled()) containerLog.trace(sm.getString("jdbcRealm.authenticateFailure", diff --git a/java/org/apache/catalina/realm/MemoryRealm.java b/java/org/apache/catalina/realm/MemoryRealm.java index aec126fa9036..9beddf6a723f 100644 --- a/java/org/apache/catalina/realm/MemoryRealm.java +++ b/java/org/apache/catalina/realm/MemoryRealm.java @@ -125,7 +125,9 @@ public Principal authenticate(String username, String credentials) { GenericPrincipal principal = principals.get(username); if(principal == null || principal.getPassword() == null) { - // User was not found in the database of the password was null + // User was not found in the database or the password was null + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); if (log.isDebugEnabled()) log.debug(sm.getString("memoryRealm.authenticateFailure", username)); diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java index 32c928fa2c54..bcbfff752236 100644 --- a/java/org/apache/catalina/realm/RealmBase.java +++ b/java/org/apache/catalina/realm/RealmBase.java @@ -344,6 +344,8 @@ public Principal authenticate(String username, String credentials) { if (serverCredentials == null) { // User was not found + // Waste a bit of time as not to reveal that the user does not exist. + getCredentialHandler().mutate(credentials); if (containerLog.isTraceEnabled()) { containerLog.trace(sm.getString("realmBase.authenticateFailure", diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 7a19b0c57967..95ad8f5a7438 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -183,6 +183,9 @@ of the web.xml file where specified or UTF-8 where no explicit encoding is specified. (markt) + + Make timing attacks against the Realm implementations harder. (schultz) +