Re: (tomcat) 02/02: Complete the fix for BZ 69852 - align default digest order with RFC 3112

Mark Thomas Tue, 04 Nov 2025 09:42:40 -0800

On 04/11/2025 17:40, [email protected] wrote:

This is an automated email from the ASF dual-hosted git repository.


markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 76c9a625a6abf295444ad2aa23ec9106a5760815
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Nov 4 17:28:12 2025 +0000

     Complete the fix for BZ 69852 - align default digest order with RFC 3112

https://bz.apache.org/bugzilla/show_bug.cgi?id=69852

This isn't the only way to fix this. Before I backport this (likelyfirst thing my time tomorrow) are there any objections to this approach/ suggestions for a different solution?


Mark

---
  .../catalina/realm/MessageDigestCredentialHandler.java | 18 +++++++++++++++++-
  webapps/docs/changelog.xml                             |  5 +++++
  webapps/docs/config/credentialhandler.xml              |  8 ++++++++
  3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java 
b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
index e3aa771d60..2ce9e68901 100644
--- a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
+++ b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
@@ -58,6 +58,7 @@ public class MessageDigestCredentialHandler extends 
DigestCredentialHandlerBase

private Charset encoding = StandardCharsets.UTF_8;

      private String algorithm = null;
+    private boolean digestInRfc3112Order = true;

public String getEncoding() {

@@ -91,6 +92,16 @@ public class MessageDigestCredentialHandler extends 
DigestCredentialHandlerBase
      }

+ public boolean getDigestInRfc3112Order() {

+        return digestInRfc3112Order;
+    }
+
+
+    public void setDigestInRfc3112Order(boolean digestInRfc3112Order) {
+        this.digestInRfc3112Order = digestInRfc3112Order;
+    }
+
+
      @Override
      public boolean matches(String inputCredentials, String storedCredentials) 
{
          if (inputCredentials == null || storedCredentials == null) {
@@ -162,7 +173,12 @@ public class MessageDigestCredentialHandler extends 
DigestCredentialHandlerBase
              if (salt == null) {
                  userDigest = ConcurrentMessageDigest.digest(algorithm, 
iterations, inputCredentialbytes);
              } else {
-                userDigest = ConcurrentMessageDigest.digest(algorithm, 
iterations, salt, inputCredentialbytes);
+                if (digestInRfc3112Order) {
+                    // RFC 3112 states that the input order for the digest is 
credentials then salt
+                    userDigest = ConcurrentMessageDigest.digest(algorithm, 
iterations, inputCredentialbytes, salt);
+                } else {
+                    userDigest = ConcurrentMessageDigest.digest(algorithm, 
iterations, salt, inputCredentialbytes);
+                }
              }
              return HexUtils.toHexString(userDigest);
          }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b1c8c3eaa6..fb641051d1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -180,6 +180,11 @@
          Remove the <code>RemoteAddrFilter</code> and
          <code>RemoteAddrValve</code>. (markt)
        </update>
+      <update>
+        Change the default for the <code>digestInRfc3112Order</code> attribute
+        of <code>MessageDigestCredentialHandler</code> from <code>false</code>
+        to <code>true</code>. (markt)
+      </update>
        <!-- Entries for backport and removal before 12.0.0-M1 below this line 
-->
        <fix>
          When generating the class path in the Loader, re-order the check on
diff --git a/webapps/docs/config/credentialhandler.xml 
b/webapps/docs/config/credentialhandler.xml
index 5598f5fcaa..2ef7c11e43 100644
--- a/webapps/docs/config/credentialhandler.xml
+++ b/webapps/docs/config/credentialhandler.xml
@@ -123,6 +123,14 @@
          from a clear text credential.</p>
        </attribute>

+ <attribute name="digestInRfc3112Order" required="false">

+        <p>When generating the digest should the inputs be processed in the
+        order defined in RFC 3112 (credential then salt) or in the order used 
by
+        default in earlier versions of Tomcat (salt then credential). If not
+        specified, the default value of <code>true</code> is used. This is a
+        change from Tomcat 11.</p>
+      </attribute>
+
        <attribute name="saltLength" required="false">
          <p>The length of the randomly generated salt to use when creating a
          new stored credential from a clear text credential.</p>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: (tomcat) 02/02: Complete the fix for BZ 69852 - align default digest order with RFC 3112

Reply via email to