On Tue, Nov 4, 2025 at 6:42 PM Mark Thomas <[email protected]> wrote:
>
> On 04/11/2025 17:40, [email protected] wrote:
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > markt pushed a commit to branch main
> > in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >
> > commit 76c9a625a6abf295444ad2aa23ec9106a5760815
> > Author: Mark Thomas <[email protected]>
> > AuthorDate: Tue Nov 4 17:28:12 2025 +0000
> >
> > Complete the fix for BZ 69852 - align default digest order with RFC
> > 3112
> >
> > https://bz.apache.org/bugzilla/show_bug.cgi?id=69852
>
> This isn't the only way to fix this. Before I backport this (likely
> first thing my time tomorrow) are there any objections to this approach
> / suggestions for a different solution?
+1 for backporting but I would not change the default.
Rémy
> Mark
>
>
> > ---
> > .../catalina/realm/MessageDigestCredentialHandler.java | 18
> > +++++++++++++++++-
> > webapps/docs/changelog.xml | 5 +++++
> > webapps/docs/config/credentialhandler.xml | 8 ++++++++
> > 3 files changed, 30 insertions(+), 1 deletion(-)
> >
> > diff --git
> > a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
> > b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
> > index e3aa771d60..2ce9e68901 100644
> > --- a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
> > +++ b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
> > @@ -58,6 +58,7 @@ public class MessageDigestCredentialHandler extends
> > DigestCredentialHandlerBase
> >
> > private Charset encoding = StandardCharsets.UTF_8;
> > private String algorithm = null;
> > + private boolean digestInRfc3112Order = true;
> >
> >
> > public String getEncoding() {
> > @@ -91,6 +92,16 @@ public class MessageDigestCredentialHandler extends
> > DigestCredentialHandlerBase
> > }
> >
> >
> > + public boolean getDigestInRfc3112Order() {
> > + return digestInRfc3112Order;
> > + }
> > +
> > +
> > + public void setDigestInRfc3112Order(boolean digestInRfc3112Order) {
> > + this.digestInRfc3112Order = digestInRfc3112Order;
> > + }
> > +
> > +
> > @Override
> > public boolean matches(String inputCredentials, String
> > storedCredentials) {
> > if (inputCredentials == null || storedCredentials == null) {
> > @@ -162,7 +173,12 @@ public class MessageDigestCredentialHandler extends
> > DigestCredentialHandlerBase
> > if (salt == null) {
> > userDigest = ConcurrentMessageDigest.digest(algorithm,
> > iterations, inputCredentialbytes);
> > } else {
> > - userDigest = ConcurrentMessageDigest.digest(algorithm,
> > iterations, salt, inputCredentialbytes);
> > + if (digestInRfc3112Order) {
> > + // RFC 3112 states that the input order for the digest
> > is credentials then salt
> > + userDigest = ConcurrentMessageDigest.digest(algorithm,
> > iterations, inputCredentialbytes, salt);
> > + } else {
> > + userDigest = ConcurrentMessageDigest.digest(algorithm,
> > iterations, salt, inputCredentialbytes);
> > + }
> > }
> > return HexUtils.toHexString(userDigest);
> > }
> > diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
> > index b1c8c3eaa6..fb641051d1 100644
> > --- a/webapps/docs/changelog.xml
> > +++ b/webapps/docs/changelog.xml
> > @@ -180,6 +180,11 @@
> > Remove the <code>RemoteAddrFilter</code> and
> > <code>RemoteAddrValve</code>. (markt)
> > </update>
> > + <update>
> > + Change the default for the <code>digestInRfc3112Order</code>
> > attribute
> > + of <code>MessageDigestCredentialHandler</code> from
> > <code>false</code>
> > + to <code>true</code>. (markt)
> > + </update>
> > <!-- Entries for backport and removal before 12.0.0-M1 below this
> > line -->
> > <fix>
> > When generating the class path in the Loader, re-order the check
> > on
> > diff --git a/webapps/docs/config/credentialhandler.xml
> > b/webapps/docs/config/credentialhandler.xml
> > index 5598f5fcaa..2ef7c11e43 100644
> > --- a/webapps/docs/config/credentialhandler.xml
> > +++ b/webapps/docs/config/credentialhandler.xml
> > @@ -123,6 +123,14 @@
> > from a clear text credential.</p>
> > </attribute>
> >
> > + <attribute name="digestInRfc3112Order" required="false">
> > + <p>When generating the digest should the inputs be processed in the
> > + order defined in RFC 3112 (credential then salt) or in the order
> > used by
> > + default in earlier versions of Tomcat (salt then credential). If
> > not
> > + specified, the default value of <code>true</code> is used. This is
> > a
> > + change from Tomcat 11.</p>
> > + </attribute>
> > +
> > <attribute name="saltLength" required="false">
> > <p>The length of the randomly generated salt to use when creating
> > a
> > new stored credential from a clear text credential.</p>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
