Skip to content
Permalink
Browse files Browse the repository at this point in the history
[FIXED SECURITY-58]
encryption of passphrases wasn't sufficiently secure.
  • Loading branch information
kohsuke committed Nov 19, 2013
1 parent b5cd303 commit 7d4562d
Showing 1 changed file with 14 additions and 10 deletions.
24 changes: 14 additions & 10 deletions src/main/java/hudson/scm/SubversionSCM.java
Expand Up @@ -1508,19 +1508,23 @@ public static final class PasswordCredential extends Credential {
*/
private static final long serialVersionUID = -1676145651108866745L;
private final String userName;
private final String password; // scrambled by base64
private final Secret password; // for historical reasons, scrambled by base64 in addition to using 'Secret'

public PasswordCredential(String userName, String password) {
this.userName = userName;
this.password = Scrambler.scramble(password);
this.password = Secret.fromString(Scrambler.scramble(password));
}

@Override
public SVNAuthentication createSVNAuthentication(String kind) {
if(kind.equals(ISVNAuthenticationManager.SSH))
return new SVNSSHAuthentication(userName,Scrambler.descramble(password),-1,false);
return new SVNSSHAuthentication(userName, getPassword(),-1,false);
else
return new SVNPasswordAuthentication(userName,Scrambler.descramble(password),false);
return new SVNPasswordAuthentication(userName, getPassword(),false);
}

private String getPassword() {
return Scrambler.descramble(Secret.toString(password));
}
}

Expand All @@ -1533,7 +1537,7 @@ public static final class SshPublicKeyCredential extends Credential {
*/
private static final long serialVersionUID = -4649332611621900514L;
private final String userName;
private final String passphrase; // scrambled by base64
private final Secret passphrase; // for historical reasons, scrambled by base64 in addition to using 'Secret'
private final String id;

/**
Expand All @@ -1542,7 +1546,7 @@ public static final class SshPublicKeyCredential extends Credential {
*/
public SshPublicKeyCredential(String userName, String passphrase, File keyFile) throws SVNException {
this.userName = userName;
this.passphrase = Scrambler.scramble(passphrase);
this.passphrase = Secret.fromString(Scrambler.scramble(passphrase));

Random r = new Random();
StringBuilder buf = new StringBuilder();
Expand Down Expand Up @@ -1613,7 +1617,7 @@ public String call() throws IOException {
} else {
privateKey = FileUtils.readFileToString(getKeyFile(),"iso-8859-1");
}
return new SVNSSHAuthentication(userName, privateKey.toCharArray(), Scrambler.descramble(passphrase),-1,false);
return new SVNSSHAuthentication(userName, privateKey.toCharArray(), Scrambler.descramble(Secret.toString(passphrase)),-1,false);
} catch (IOException e) {
throw new SVNException(
SVNErrorMessage.create(SVNErrorCode.AUTHN_CREDS_UNAVAILABLE,"Unable to load private key").initCause(e));
Expand All @@ -1635,10 +1639,10 @@ public static final class SslClientCertificateCredential extends Credential {
*/
private static final long serialVersionUID = 5455755079546887446L;
private final Secret certificate;
private final String password; // scrambled by base64
private final Secret password; // for historical reasons, scrambled by base64 in addition to using 'Secret'

public SslClientCertificateCredential(File certificate, String password) throws IOException {
this.password = Scrambler.scramble(password);
this.password = Secret.fromString(Scrambler.scramble(password));
this.certificate = Secret.fromString(new String(Base64.encode(FileUtils.readFileToByteArray(certificate))));
}

Expand All @@ -1648,7 +1652,7 @@ public SVNAuthentication createSVNAuthentication(String kind) {
try {
SVNSSLAuthentication authentication = new SVNSSLAuthentication(
Base64.decode(certificate.getPlainText().toCharArray()),
Scrambler.descramble(password), false);
Scrambler.descramble(Secret.toString(password)), false);
authentication.setCertificatePath("dummy"); // TODO: remove this JENKINS-19175 workaround
return authentication;
} catch (IOException e) {
Expand Down

0 comments on commit 7d4562d

Please sign in to comment.