(tomcat) branch 10.1.x updated: Complete the fix for BZ 69852 - make digest order configurable

Wed, 05 Nov 2025 02:54:00 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new c7cc495bde Complete the fix for BZ 69852 - make digest order 
configurable
c7cc495bde is described below

commit c7cc495bde997f1a1861bcbeef79af1e7c422489
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Nov 4 17:28:12 2025 +0000

    Complete the fix for BZ 69852 - make digest order configurable
    
    https://bz.apache.org/bugzilla/show_bug.cgi?id=69852
---
 .../catalina/realm/MessageDigestCredentialHandler.java | 18 +++++++++++++++++-
 webapps/docs/changelog.xml                             |  8 ++++++++
 webapps/docs/config/credentialhandler.xml              |  8 ++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java 
b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
index e3aa771d60..4d2bd5c709 100644
--- a/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
+++ b/java/org/apache/catalina/realm/MessageDigestCredentialHandler.java
@@ -58,6 +58,7 @@ public class MessageDigestCredentialHandler extends 
DigestCredentialHandlerBase
 
     private Charset encoding = StandardCharsets.UTF_8;
     private String algorithm = null;
+    private boolean digestInRfc3112Order = false;
 
 
     public String getEncoding() {
@@ -91,6 +92,16 @@ public class MessageDigestCredentialHandler extends 
DigestCredentialHandlerBase
     }
 
 
+    public boolean getDigestInRfc3112Order() {
+        return digestInRfc3112Order;
+    }
+
+
+    public void setDigestInRfc3112Order(boolean digestInRfc3112Order) {
+        this.digestInRfc3112Order = digestInRfc3112Order;
+    }
+
+
     @Override
     public boolean matches(String inputCredentials, String storedCredentials) {
         if (inputCredentials == null || storedCredentials == null) {
@@ -162,7 +173,12 @@ public class MessageDigestCredentialHandler extends 
DigestCredentialHandlerBase
             if (salt == null) {
                 userDigest = ConcurrentMessageDigest.digest(algorithm, 
iterations, inputCredentialbytes);
             } else {
-                userDigest = ConcurrentMessageDigest.digest(algorithm, 
iterations, salt, inputCredentialbytes);
+                if (digestInRfc3112Order) {
+                    // RFC 3112 states that the input order for the digest is 
credentials then salt
+                    userDigest = ConcurrentMessageDigest.digest(algorithm, 
iterations, inputCredentialbytes, salt);
+                } else {
+                    userDigest = ConcurrentMessageDigest.digest(algorithm, 
iterations, salt, inputCredentialbytes);
+                }
             }
             return HexUtils.toHexString(userDigest);
         }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6d8fb8f17a..922057c21f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -116,6 +116,14 @@
         Fix SSL socket factory configuration in the JNDI realm. Based on pull
         request <pr>915</pr> by Joshua Rogers. (remm)
       </fix>
+      <update>
+        Add an attribute, <code>digestInRfc3112Order</code>, to
+        <code>MessageDigestCredentialHandler</code> to control the order in
+        which the credential and salt are digested. By default, the current,
+        non-RFC 3112 compliant, order of salt then credential will be used. 
This
+        default will change in Tomcat 12 to the RFC 3112 compliant order of
+        credential then salt. (markt)
+      </update>
     </changelog>
   </subsection>
   <subsection name="Coyote">
diff --git a/webapps/docs/config/credentialhandler.xml 
b/webapps/docs/config/credentialhandler.xml
index 5598f5fcaa..b1ccfd39c9 100644
--- a/webapps/docs/config/credentialhandler.xml
+++ b/webapps/docs/config/credentialhandler.xml
@@ -123,6 +123,14 @@
         from a clear text credential.</p>
       </attribute>
 
+      <attribute name="digestInRfc3112Order" required="false">
+        <p>When generating the digest should the inputs be processed in the
+        order defined in RFC 3112 (credential then salt) or in the order used 
by
+        default in earlier versions of Tomcat (salt then credential). If not
+        specified, the default value of <code>false</code> is used. This 
default
+        will change in Tomcat 12.</p>
+      </attribute>
+
       <attribute name="saltLength" required="false">
         <p>The length of the randomly generated salt to use when creating a
         new stored credential from a clear text credential.</p>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to