Bug 52953 - Unlike BASIC Authentication, DIGEST mode does not work if the hash is stored in uppercase.
Summary: Unlike BASIC Authentication, DIGEST mode does not work if the hash is stored ...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: trunk
Hardware: All All
: P2 minor (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-21 04:39 UTC by Neale Rudd
Modified: 2012-03-21 10:03 UTC (History)
0 users



Attachments
patch against the current 8.0.0-dev trunk adding toLowerCase on hash retrieval (620 bytes, patch)
2012-03-21 04:39 UTC, Neale Rudd
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Neale Rudd 2012-03-21 04:39:32 UTC
Created attachment 28487 [details]
patch against the current 8.0.0-dev trunk adding toLowerCase on hash retrieval

Unlike BASIC Authentication, DIGEST mode does not work if the hash is stored in uppercase.

This is not a problem if the hashes are generated by CATALINA/bin/digest.sh, but if they are prepared with other software which generate uppercase hex strings for hashes, it can be very confusing trying to figure out why digest authentication is not working.

The other hash comparisons use equalsIgnoreCase() to compare the hashes, but the digest version of RealmBase.authenticate() prepares the serverDigestValue by taking the Principal's hash (as is) and prepending it to the nonce and other digest fields, and then rehashing.

As a result, the final hash serverDigest is not the same as the clientDigest value that comes from the browser.

To test, change an MD5 DIGEST hash to upper case and attempt to authenticate.

The provided one-line patch against the current 8.0.0-dev trunk simply uses toLowerCase on the retrieved server-side hash.

Best Regards,
Neale Rudd
Comment 1 Mark Thomas 2012-03-21 10:03:57 UTC
Thanks for the report and the patch.

A slightly modified version has been applied to trunk and 7.0.x and will be included in 7.0.27 onwards.