CVE-2016-0762

@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -271,13 +271,13 @@ public String getInfo() {
      */
     @Override
     public Principal authenticate(String username, String credentials) {
-        
+
         // No user or no credentials
         // Can't possibly authenticate, don't bother the database then
         if (username == null || credentials == null) {
             return null;
         }
-        
+
         Connection dbConnection = null;
 
         // Ensure that we have an open database connection
@@ -286,7 +286,7 @@ public Principal authenticate(String username, String credentials) {
             // If the db connection open fails, return "not authenticated"
             return null;
         }
-        
+
         try
         {
             // Acquire a Principal object for this user
@@ -331,6 +331,8 @@ protected Principal authenticate(Connection dbConnection,
 
         if(dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            compareCredentials(credentials, getClass().getName());
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure",
@@ -374,7 +376,7 @@ protected void close(Connection dbConnection) {
         try {
             if (!dbConnection.getAutoCommit()) {
                 dbConnection.commit();
-            }            
+            }
         } catch (SQLException e) {
             containerLog.error("Exception committing connection before closing:", e);
         }
@@ -408,7 +410,7 @@ protected Connection open() {
         } catch (Exception e) {
             // Log the problem for posterity
             containerLog.error(sm.getString("dataSourceRealm.exception"), e);
-        }  
+        }
         return null;
     }
 
@@ -437,18 +439,18 @@ protected String getPassword(String username) {
         }
 
         try {
-            return getPassword(dbConnection, username);            
+            return getPassword(dbConnection, username);
         } finally {
             close(dbConnection);
         }
     }
-    
+
     /**
      * Return the password associated with the given principal's user name.
      * @param dbConnection The database connection to be used
      * @param username Username for which password should be retrieved
      */
-    protected String getPassword(Connection dbConnection, 
+    protected String getPassword(Connection dbConnection,
                                  String username) {
 
         ResultSet rs = null;
@@ -463,7 +465,7 @@ protected String getPassword(Connection dbConnection,
             }
 
             return (dbCredentials != null) ? dbCredentials.trim() : null;
-            
+
         } catch(SQLException e) {
             containerLog.error(
                     sm.getString("dataSourceRealm.getPassword.exception",
@@ -480,10 +482,10 @@ protected String getPassword(Connection dbConnection,
                     containerLog.error(
                         sm.getString("dataSourceRealm.getPassword.exception",
                              username), e);
-                
+
             }
         }
-        
+
         return null;
     }
 
@@ -527,15 +529,15 @@ protected ArrayList<String> getRoles(String username) {
             close(dbConnection);
         }
     }
-    
+
     /**
      * Return the roles associated with the given user name
      * @param dbConnection The database connection to be used
      * @param username Username for which roles should be retrieved
      */
     protected ArrayList<String> getRoles(Connection dbConnection,
                                      String username) {
-        
+
         if (allRolesMode != AllRolesMode.STRICT_MODE && !isRoleStoreDefined()) {
             // Using an authentication only configuration and no role store has
             // been defined so don't spend cycles looking
@@ -545,12 +547,12 @@ protected ArrayList<String> getRoles(Connection dbConnection,
         ResultSet rs = null;
         PreparedStatement stmt = null;
         ArrayList<String> list = null;
-        
+
         try {
             stmt = roles(dbConnection, username);
             rs = stmt.executeQuery();
             list = new ArrayList<String>();
-            
+
             while (rs.next()) {
                 String role = rs.getString(1);
                 if (role != null) {
@@ -576,7 +578,7 @@ protected ArrayList<String> getRoles(Connection dbConnection,
                                      username), e);
             }
         }
-        
+
         return null;
     }
 
@@ -600,7 +602,7 @@ private PreparedStatement credentials(Connection dbConnection,
         return (credentials);
 
     }
-    
+
     /**
      * Return a PreparedStatement configured to perform the SELECT required
      * to retrieve user roles for the specified username.
@@ -613,7 +615,7 @@ private PreparedStatement credentials(Connection dbConnection,
     private PreparedStatement roles(Connection dbConnection, String username)
         throws SQLException {
 
-        PreparedStatement roles = 
+        PreparedStatement roles =
             dbConnection.prepareStatement(preparedRoles);
 
         roles.setString(1, username);
@@ -659,7 +661,7 @@ protected void startInternal() throws LifecycleException {
         temp.append(userNameCol);
         temp.append(" = ?");
         preparedCredentials = temp.toString();
-        
+
         super.startInternal();
     }
 }

@@ -409,6 +409,8 @@ public synchronized Principal authenticate(Connection dbConnection,
 
         if (dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            compareCredentials(credentials, getClass().getName());
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",

@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -150,6 +150,10 @@ public Principal authenticate(String username, String credentials) {
         GenericPrincipal principal = principals.get(username);
 
         if (principal == null || principal.getPassword() == null) {
+            // User was not found in the database or the password was null
+            // Waste a bit of time as not to reveal that the user does not exist.
+            compareCredentials(credentials, getClass().getName());
+
             if (log.isDebugEnabled())
                 log.debug(sm.getString("memoryRealm.authenticateFailure", username));
             return null;

@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -161,15 +161,15 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
      * The all role mode.
      */
     protected AllRolesMode allRolesMode = AllRolesMode.STRICT_MODE;
-    
+
 
     /**
      * When processing users authenticated via the GSS-API, should any
      * "@..." be stripped from the end of the user name?
      */
     protected boolean stripRealmForGss = true;
 
-    
+
     private int transportGuaranteeRedirectStatus = HttpServletResponse.SC_FOUND;
 
 
@@ -416,6 +416,8 @@ public Principal authenticate(String username, String credentials) {
 
         if (serverCredentials == null) {
             // User was not found
+            // Waste a bit of time as not to reveal that the user does not exist.
+            compareCredentials(credentials, getClass().getName());
 
             if (containerLog.isTraceEnabled()) {
                 containerLog.trace(sm.getString("realmBase.authenticateFailure",
@@ -489,13 +491,13 @@ public Principal authenticate(String username, String clientDigest,
         }
 
         if (log.isDebugEnabled()) {
-            log.debug("Digest : " + clientDigest + " Username:" + username 
-                    + " ClientSigest:" + clientDigest + " nonce:" + nonce 
-                    + " nc:" + nc + " cnonce:" + cnonce + " qop:" + qop 
-                    + " realm:" + realm + "md5a2:" + md5a2 
+            log.debug("Digest : " + clientDigest + " Username:" + username
+                    + " ClientSigest:" + clientDigest + " nonce:" + nonce
+                    + " nc:" + nc + " cnonce:" + cnonce + " qop:" + qop
+                    + " realm:" + realm + "md5a2:" + md5a2
                     + " Server digest:" + serverDigest);
         }
-        
+
         if (serverDigest.equals(clientDigest)) {
             return getPrincipal(username);
         }
@@ -540,7 +542,7 @@ public Principal authenticate(X509Certificate certs[]) {
 
     }
 
-    
+
     /**
      * {@inheritDoc}
      */
@@ -553,10 +555,10 @@ public Principal authenticate(GSSContext gssContext, boolean storeCred) {
             } catch (GSSException e) {
                 log.warn(sm.getString("realmBase.gssNameFail"), e);
             }
-            
+
             if (gssName!= null) {
                 String name = gssName.toString();
-                
+
                 if (isStripRealmForGss()) {
                     int i = name.indexOf('@');
                     if (i > 0) {
@@ -579,12 +581,12 @@ public Principal authenticate(GSSContext gssContext, boolean storeCred) {
                 return getPrincipal(name, gssCredential);
             }
         }
-        
+
         // Fail in all other cases
         return null;
     }
 
-    
+
     protected boolean compareCredentials(String userCredentials,
             String serverCredentials) {
 
@@ -689,13 +691,13 @@ public void backgroundProcess() {
         if (uri == null) {
             uri = "/";
         }
-        
+
         String method = request.getMethod();
         int i;
         boolean found = false;
         for (i = 0; i < constraints.length; i++) {
             SecurityCollection [] collection = constraints[i].findCollections();
-                     
+
             // If collection is null, continue to avoid an NPE
             // See Bugzilla 30624
             if ( collection == null) {
@@ -710,7 +712,7 @@ public void backgroundProcess() {
 
             for(int j=0; j < collection.length; j++){
                 String [] patterns = collection[j].findPatterns();
- 
+
                 // If patterns is null, continue to avoid an NPE
                 // See Bugzilla 30624
                 if ( patterns == null) {
@@ -739,7 +741,7 @@ public void backgroundProcess() {
 
         for (i = 0; i < constraints.length; i++) {
             SecurityCollection [] collection = constraints[i].findCollections();
-            
+
             // If collection is null, continue to avoid an NPE
             // See Bugzilla 30624
             if ( collection == null) {
@@ -765,9 +767,9 @@ public void backgroundProcess() {
                 int length = -1;
                 for(int k=0; k < patterns.length; k++) {
                     String pattern = patterns[k];
-                    if(pattern.startsWith("/") && pattern.endsWith("/*") && 
+                    if(pattern.startsWith("/") && pattern.endsWith("/*") &&
                        pattern.length() >= longest) {
-                            
+
                         if(pattern.length() == 2) {
                             matched = true;
                             length = pattern.length();
@@ -812,7 +814,7 @@ public void backgroundProcess() {
             if ( collection == null) {
                 continue;
             }
-            
+
             if (log.isDebugEnabled()) {
                 log.debug("  Checking constraint '" + constraints[i] +
                     "' against " + method + " " + uri + " --> " +
@@ -863,7 +865,7 @@ public void backgroundProcess() {
 
         for (i = 0; i < constraints.length; i++) {
             SecurityCollection [] collection = constraints[i].findCollections();
-            
+
             // If collection is null, continue to avoid an NPE
             // See Bugzilla 30624
             if ( collection == null) {
@@ -895,7 +897,7 @@ public void backgroundProcess() {
                 if(matched) {
                     if(results == null) {
                         results = new ArrayList<SecurityConstraint>();
-                    }                    
+                    }
                     results.add(constraints[i]);
                 }
             }
@@ -908,7 +910,7 @@ public void backgroundProcess() {
         }
         return resultsToArray(results);
     }
- 
+
     /**
      * Convert an ArrayList to a SecurityContraint [].
      */
@@ -922,7 +924,7 @@ public void backgroundProcess() {
         return array;
     }
 
-    
+
     /**
      * Perform access control based on the specified authorization constraint.
      * Return <code>true</code> if this constraint is satisfied and processing
@@ -974,7 +976,7 @@ public boolean hasResourcePermission(Request request,
                     denyfromall = true;
                     break;
                 }
-                
+
                 if(log.isDebugEnabled())
                     log.debug("Passing all access");
                 status = true;
@@ -1012,7 +1014,7 @@ else if( log.isDebugEnabled() )
                         status = true;
                         break;
                     }
-                    
+
                     // For AllRolesMode.STRICT_AUTH_ONLY_MODE there must be zero roles
                     roles = request.getContext().findSecurityRoles();
                     if (roles.length == 0 && allRolesMode == AllRolesMode.STRICT_AUTH_ONLY_MODE) {
@@ -1025,7 +1027,7 @@ else if( log.isDebugEnabled() )
                 }
             }
         }
-        
+
         // Return a "Forbidden" message denying access to this resource
         if(!status) {
             response.sendError
@@ -1035,8 +1037,8 @@ else if( log.isDebugEnabled() )
         return status;
 
     }
-    
-    
+
+
     /**
      * Return <code>true</code> if the specified Principal has the specified
      * security role, within the context of this Realm; otherwise return
@@ -1075,7 +1077,7 @@ public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
 
     }
 
-    
+
     /**
      * Enforce any user data constraint required by the security constraint
      * guarding this request URI.  Return <code>true</code> if this constraint
@@ -1166,8 +1168,8 @@ public boolean hasUserDataPermission(Request request,
         return (false);
 
     }
-    
-    
+
+
     /**
      * Remove a property change listener from this component.
      *
@@ -1193,7 +1195,7 @@ protected void initInternal() throws LifecycleException {
 
         x509UsernameRetriever = createUsernameRetriever(x509UsernameRetrieverClassName);
     }
-        
+
     /**
      * Prepare for the beginning of active use of the public methods of this
      * component and implement the requirements of
@@ -1231,12 +1233,12 @@ protected void startInternal() throws LifecycleException {
     protected void stopInternal() throws LifecycleException {
 
         setState(LifecycleState.STOPPING);
-        
+
         // Clean up allocated resources
         md = null;
     }
-    
-    
+
+
     /**
      * Return a String representation of this component.
      */
@@ -1247,8 +1249,8 @@ public String toString() {
         sb.append(']');
         return sb.toString();
     }
-    
-    
+
+
     // ------------------------------------------------------ Protected Methods
 
 
@@ -1270,7 +1272,7 @@ protected String digest(String credentials)  {
         synchronized (this) {
             try {
                 md.reset();
-    
+
                 byte[] bytes = null;
                 try {
                     bytes = credentials.getBytes(getDigestCharset());
@@ -1310,7 +1312,7 @@ protected String getDigest(String username, String realmName) {
             // Use pre-generated digest
             return getPassword(username);
         }
-            
+
         String digestValue = username + ":" + realmName + ":"
             + getPassword(username);
 
@@ -1356,7 +1358,7 @@ protected Principal getPrincipal(X509Certificate usercert) {
 
         return(getPrincipal(username));
     }
-    
+
 
     /**
      * Return the Principal associated with the given user name.
@@ -1367,11 +1369,11 @@ protected Principal getPrincipal(X509Certificate usercert) {
     protected Principal getPrincipal(String username,
             GSSCredential gssCredential) {
         Principal p = getPrincipal(username);
-        
+
         if (p instanceof GenericPrincipal) {
             ((GenericPrincipal) p).setGssCredential(gssCredential);
         }
-        
+
         return p;
     }
 
@@ -1398,7 +1400,7 @@ protected Server getServer() {
         return null;
     }
 
-    
+
     // --------------------------------------------------------- Static Methods
 
 
@@ -1425,7 +1427,7 @@ public static final String Digest(String credentials, String algorithm,
             if (encoding == null) {
                 md.update(credentials.getBytes());
             } else {
-                md.update(credentials.getBytes(encoding));                
+                md.update(credentials.getBytes(encoding));
             }
 
             // Digest the credentials and return as hexadecimal
@@ -1447,12 +1449,12 @@ public static void main(String args[]) {
 
         String encoding = null;
         int firstCredentialArg = 2;
-        
+
         if (args.length > 4 && args[2].equalsIgnoreCase("-e")) {
             encoding = args[3];
             firstCredentialArg = 4;
         }
-        
+
         if(args.length > firstCredentialArg && args[0].equalsIgnoreCase("-a")) {
             for(int i=firstCredentialArg; i < args.length ; i++){
                 System.out.print(args[i]+":");
@@ -1470,7 +1472,7 @@ public static void main(String args[]) {
 
     @Override
     public String getObjectNameKeyProperties() {
-        
+
         StringBuilder keyProperties = new StringBuilder("type=Realm");
         keyProperties.append(getRealmSuffix());
         keyProperties.append(MBeanUtils.getContainerKeyProperties(container));
@@ -1488,7 +1490,7 @@ public String getDomainInternal() {
     public String getRealmPath() {
         return realmPath;
     }
-    
+
     public void setRealmPath(String theRealmPath) {
         realmPath = theRealmPath;
     }
@@ -1499,10 +1501,10 @@ protected String getRealmSuffix() {
 
 
     protected static class AllRolesMode {
-        
+
         private String name;
         /** Use the strict servlet spec interpretation which requires that the user
-         * have one of the web-app/security-role/role-name 
+         * have one of the web-app/security-role/role-name
          */
         public static final AllRolesMode STRICT_MODE = new AllRolesMode("strict");
         /** Allow any authenticated user
@@ -1511,7 +1513,7 @@ protected static class AllRolesMode {
         /** Allow any authenticated user only if there are no web-app/security-roles
          */
         public static final AllRolesMode STRICT_AUTH_ONLY_MODE = new AllRolesMode("strictAuthOnly");
-        
+
         static AllRolesMode toMode(String name)
         {
             AllRolesMode mode;
@@ -1525,12 +1527,12 @@ else if( name.equalsIgnoreCase(STRICT_AUTH_ONLY_MODE.name) )
                 throw new IllegalStateException("Unknown mode, must be one of: strict, authOnly, strictAuthOnly");
             return mode;
         }
-        
+
         private AllRolesMode(String name)
         {
             this.name = name;
         }
-        
+
         @Override
         public boolean equals(Object o)
         {

@@ -173,6 +173,9 @@
         <bug>59904</bug>: Add a limit (default 200) for the number of cookies
         allowed per request. Based on a patch by gehui. (markt)
       </fix>
+      <fix>
+        Make timing attacks against the Realm implementations harder. (schultz)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

@@ -303,6 +303,8 @@ protected Principal authenticate(Connection dbConnection,
 
         if(dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure",

@@ -384,6 +384,8 @@ public synchronized Principal authenticate(Connection dbConnection,
 
         if (dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",

@@ -125,7 +125,9 @@ public Principal authenticate(String username, String credentials) {
         GenericPrincipal principal = principals.get(username);
 
         if(principal == null || principal.getPassword() == null) {
-            // User was not found in the database of the password was null
+            // User was not found in the database or the password was null
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (log.isDebugEnabled())
                 log.debug(sm.getString("memoryRealm.authenticateFailure", username));

@@ -488,6 +488,8 @@ public Principal authenticate(String username, String credentials) {
 
         if (serverCredentials == null) {
             // User was not found
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled()) {
                 containerLog.trace(sm.getString("realmBase.authenticateFailure",

@@ -200,6 +200,9 @@
         of the web.xml file where specified or UTF-8 where no explicit encoding
         is specified. (markt)
       </fix>
+      <fix>
+        Make timing attacks against the Realm implementations harder. (schultz)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

@@ -303,6 +303,8 @@ protected Principal authenticate(Connection dbConnection,
 
         if(dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure",

@@ -384,6 +384,8 @@ public synchronized Principal authenticate(Connection dbConnection,
 
         if (dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",

@@ -125,7 +125,9 @@ public Principal authenticate(String username, String credentials) {
         GenericPrincipal principal = principals.get(username);
 
         if(principal == null || principal.getPassword() == null) {
-            // User was not found in the database of the password was null
+            // User was not found in the database or the password was null
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (log.isDebugEnabled())
                 log.debug(sm.getString("memoryRealm.authenticateFailure", username));

@@ -344,6 +344,8 @@ public Principal authenticate(String username, String credentials) {
 
         if (serverCredentials == null) {
             // User was not found
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled()) {
                 containerLog.trace(sm.getString("realmBase.authenticateFailure",

@@ -183,6 +183,9 @@
         of the web.xml file where specified or UTF-8 where no explicit encoding
         is specified. (markt)
       </fix>
+      <fix>
+        Make timing attacks against the Realm implementations harder. (schultz)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

@@ -303,6 +303,8 @@ protected Principal authenticate(Connection dbConnection,
 
         if(dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure",

@@ -384,6 +384,8 @@ public synchronized Principal authenticate(Connection dbConnection,
 
         if (dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",

@@ -125,7 +125,9 @@ public Principal authenticate(String username, String credentials) {
         GenericPrincipal principal = principals.get(username);
 
         if(principal == null || principal.getPassword() == null) {
-            // User was not found in the database of the password was null
+            // User was not found in the database or the password was null
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (log.isDebugEnabled())
                 log.debug(sm.getString("memoryRealm.authenticateFailure", username));

@@ -344,6 +344,8 @@ public Principal authenticate(String username, String credentials) {
 
         if (serverCredentials == null) {
             // User was not found
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled()) {
                 containerLog.trace(sm.getString("realmBase.authenticateFailure",

@@ -183,6 +183,9 @@
         of the web.xml file where specified or UTF-8 where no explicit encoding
         is specified. (markt)
       </fix>
+      <fix>
+        Make timing attacks against the Realm implementations harder. (schultz)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">