This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 76c9a625a6abf295444ad2aa23ec9106a5760815 Author: Mark Thomas <[email protected]> AuthorDate: Tue Nov 4 17:28:12 2025 +0000 Complete the fix for BZ 69852 - align default digest order with RFC 3112 https://bz.apache.org/bugzilla/show_bug.cgi?id=69852 --- .../catalina/realm/MessageDigestCredentialHandler.java | 18 +++++++++++++++++- webapps/docs/changelog.xml | 5 +++++ webapps/docs/config/credentialhandler.xml | 8 ++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java index e3aa771d60..2ce9e68901 100644 --- a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java +++ b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java @@ -58,6 +58,7 @@ public class MessageDigestCredentialHandler extends DigestCredentialHandlerBase private Charset encoding = StandardCharsets.UTF_8; private String algorithm = null; + private boolean digestInRfc3112Order = true; public String getEncoding() { @@ -91,6 +92,16 @@ public class MessageDigestCredentialHandler extends DigestCredentialHandlerBase } + public boolean getDigestInRfc3112Order() { + return digestInRfc3112Order; + } + + + public void setDigestInRfc3112Order(boolean digestInRfc3112Order) { + this.digestInRfc3112Order = digestInRfc3112Order; + } + + @Override public boolean matches(String inputCredentials, String storedCredentials) { if (inputCredentials == null || storedCredentials == null) { @@ -162,7 +173,12 @@ public class MessageDigestCredentialHandler extends DigestCredentialHandlerBase if (salt == null) { userDigest = ConcurrentMessageDigest.digest(algorithm, iterations, inputCredentialbytes); } else { - userDigest = ConcurrentMessageDigest.digest(algorithm, iterations, salt, inputCredentialbytes); + if (digestInRfc3112Order) { + // RFC 3112 states that the input order for the digest is credentials then salt + userDigest = ConcurrentMessageDigest.digest(algorithm, iterations, inputCredentialbytes, salt); + } else { + userDigest = ConcurrentMessageDigest.digest(algorithm, iterations, salt, inputCredentialbytes); + } } return HexUtils.toHexString(userDigest); } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index b1c8c3eaa6..fb641051d1 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -180,6 +180,11 @@ Remove the <code>RemoteAddrFilter</code> and <code>RemoteAddrValve</code>. (markt) </update> + <update> + Change the default for the <code>digestInRfc3112Order</code> attribute + of <code>MessageDigestCredentialHandler</code> from <code>false</code> + to <code>true</code>. (markt) + </update> <!-- Entries for backport and removal before 12.0.0-M1 below this line --> <fix> When generating the class path in the Loader, re-order the check on diff --git a/webapps/docs/config/credentialhandler.xml b/webapps/docs/config/credentialhandler.xml index 5598f5fcaa..2ef7c11e43 100644 --- a/webapps/docs/config/credentialhandler.xml +++ b/webapps/docs/config/credentialhandler.xml @@ -123,6 +123,14 @@ from a clear text credential.</p> </attribute> + <attribute name="digestInRfc3112Order" required="false"> + <p>When generating the digest should the inputs be processed in the + order defined in RFC 3112 (credential then salt) or in the order used by + default in earlier versions of Tomcat (salt then credential). If not + specified, the default value of <code>true</code> is used. This is a + change from Tomcat 11.</p> + </attribute> + <attribute name="saltLength" required="false"> <p>The length of the randomly generated salt to use when creating a new stored credential from a clear text credential.</p> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
