Remove Md4PasswordEncoder from core

Issue: gh-4674
2017-10-22 14:04:48 -05:00 · 2017-10-22 14:04:48 -05:00 · a8aa65b828
parent 2dc4e326be
commit a8aa65b828
6 changed files with 1 additions and 361 deletions
--- a/config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java
+++ b/config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java
@ -28,7 +28,6 @@ import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.authentication.encoding.BaseDigestPasswordEncoder;
 import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
 import org.springframework.security.authentication.encoding.Md4PasswordEncoder;
 import org.springframework.security.config.Elements;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.util.StringUtils;
@ -47,7 +46,6 @@ public class PasswordEncoderParser {
 	public static final String ATT_HASH = "hash";
 	static final String ATT_BASE_64 = "base64";
 	static final String OPT_HASH_BCRYPT = "bcrypt";
 	static final String OPT_HASH_MD4 = "md4";
 	static final String OPT_HASH_LDAP_SHA = "{sha}";
 	static final String OPT_HASH_LDAP_SSHA = "{ssha}";
@ -56,7 +54,6 @@ public class PasswordEncoderParser {
 	static {
 		ENCODER_CLASSES = new HashMap<String, Class<?>>();
 		ENCODER_CLASSES.put(OPT_HASH_BCRYPT, BCryptPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_MD4, Md4PasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_LDAP_SHA, LdapShaPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_LDAP_SSHA, LdapShaPasswordEncoder.class);
 	}
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc
@ -7,7 +7,7 @@ start = http | ldap-server | authentication-provider | ldap-authentication-provi
 hash =
 	## Defines the hashing algorithm used on user passwords. Bcrypt is recommended.
-	attribute hash {"bcrypt" | "plaintext" | "md4" | "{sha}" | "{ssha}"}
+	attribute hash {"bcrypt" | "{sha}" | "{ssha}"}
 base64 =
 	## Whether a string should be base64 encoded
 	attribute base64 {xsd:boolean}
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd
@ -12,7 +12,6 @@
         <xs:simpleType>
            <xs:restriction base="xs:token">
               <xs:enumeration value="bcrypt"/>
               <xs:enumeration value="md4"/>
               <xs:enumeration value="{sha}"/>
               <xs:enumeration value="{ssha}"/>
            </xs:restriction>
@ -143,7 +142,6 @@
         <xs:simpleType>
            <xs:restriction base="xs:token">
               <xs:enumeration value="bcrypt"/>
               <xs:enumeration value="md4"/>
               <xs:enumeration value="{sha}"/>
               <xs:enumeration value="{ssha}"/>
            </xs:restriction>
@ -522,7 +520,6 @@
         <xs:simpleType>
            <xs:restriction base="xs:token">
               <xs:enumeration value="bcrypt"/>
               <xs:enumeration value="md4"/>
               <xs:enumeration value="{sha}"/>
               <xs:enumeration value="{ssha}"/>
            </xs:restriction>
--- a/core/src/main/java/org/springframework/security/authentication/encoding/Md4.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/Md4.java
@ -1,182 +0,0 @@
 /*
 * Copyright 2004, 2005, 2006, 2007 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.springframework.security.authentication.encoding;
 /**
 * Implementation of the MD4 message digest derived from the RSA Data Security, Inc, MD4
 * Message-Digest Algorithm.
 *
 * @author Alan Stewart
 */
 class Md4 {
 	private static final int BLOCK_SIZE = 64;
 	private static final int HASH_SIZE = 16;
 	private final byte[] buffer = new byte[BLOCK_SIZE];
 	private int bufferOffset;
 	private long byteCount;
 	private final int[] state = new int[4];
 	private final int[] tmp = new int[16];
 	Md4() {
 		reset();
 	}
 	public void reset() {
 		bufferOffset = 0;
 		byteCount = 0;
 		state[0] = 0x67452301;
 		state[1] = 0xEFCDAB89;
 		state[2] = 0x98BADCFE;
 		state[3] = 0x10325476;
 	}
 	public byte[] digest() {
 		byte[] resBuf = new byte[HASH_SIZE];
 		digest(resBuf, 0, HASH_SIZE);
 		return resBuf;
 	}
 	private void digest(byte[] buffer, int off) {
 		for (int i = 0; i < 4; i++) {
 			for (int j = 0; j < 4; j++) {
 				buffer[off + (i * 4 + j)] = (byte) (state[i] >>> (8 * j));
 			}
 		}
 	}
 	private void digest(byte[] buffer, int offset, int len) {
 		this.buffer[this.bufferOffset++] = (byte) 0x80;
 		int lenOfBitLen = 8;
 		int C = BLOCK_SIZE - lenOfBitLen;
 		if (this.bufferOffset > C) {
 			while (this.bufferOffset < BLOCK_SIZE) {
 				this.buffer[this.bufferOffset++] = (byte) 0x00;
 			}
 			update(this.buffer, 0);
 			this.bufferOffset = 0;
 		}
 		while (this.bufferOffset < C) {
 			this.buffer[this.bufferOffset++] = (byte) 0x00;
 		}
 		long bitCount = byteCount * 8;
 		for (int i = 0; i < 64; i += 8) {
 			this.buffer[this.bufferOffset++] = (byte) (bitCount >>> (i));
 		}
 		update(this.buffer, 0);
 		digest(buffer, offset);
 	}
 	public void update(byte[] input, int offset, int length) {
 		byteCount += length;
 		int todo;
 		while (length >= (todo = BLOCK_SIZE - this.bufferOffset)) {
 			System.arraycopy(input, offset, this.buffer, this.bufferOffset, todo);
 			update(this.buffer, 0);
 			length -= todo;
 			offset += todo;
 			this.bufferOffset = 0;
 		}
 		System.arraycopy(input, offset, this.buffer, this.bufferOffset, length);
 		bufferOffset += length;
 	}
 	private void update(byte[] block, int offset) {
 		for (int i = 0; i < 16; i++) {
 			tmp[i] = (block[offset++] & 0xFF) | (block[offset++] & 0xFF) << 8
 					| (block[offset++] & 0xFF) << 16 | (block[offset++] & 0xFF) << 24;
 		}
 		int A = state[0];
 		int B = state[1];
 		int C = state[2];
 		int D = state[3];
 		A = FF(A, B, C, D, tmp[0], 3);
 		D = FF(D, A, B, C, tmp[1], 7);
 		C = FF(C, D, A, B, tmp[2], 11);
 		B = FF(B, C, D, A, tmp[3], 19);
 		A = FF(A, B, C, D, tmp[4], 3);
 		D = FF(D, A, B, C, tmp[5], 7);
 		C = FF(C, D, A, B, tmp[6], 11);
 		B = FF(B, C, D, A, tmp[7], 19);
 		A = FF(A, B, C, D, tmp[8], 3);
 		D = FF(D, A, B, C, tmp[9], 7);
 		C = FF(C, D, A, B, tmp[10], 11);
 		B = FF(B, C, D, A, tmp[11], 19);
 		A = FF(A, B, C, D, tmp[12], 3);
 		D = FF(D, A, B, C, tmp[13], 7);
 		C = FF(C, D, A, B, tmp[14], 11);
 		B = FF(B, C, D, A, tmp[15], 19);
 		A = GG(A, B, C, D, tmp[0], 3);
 		D = GG(D, A, B, C, tmp[4], 5);
 		C = GG(C, D, A, B, tmp[8], 9);
 		B = GG(B, C, D, A, tmp[12], 13);
 		A = GG(A, B, C, D, tmp[1], 3);
 		D = GG(D, A, B, C, tmp[5], 5);
 		C = GG(C, D, A, B, tmp[9], 9);
 		B = GG(B, C, D, A, tmp[13], 13);
 		A = GG(A, B, C, D, tmp[2], 3);
 		D = GG(D, A, B, C, tmp[6], 5);
 		C = GG(C, D, A, B, tmp[10], 9);
 		B = GG(B, C, D, A, tmp[14], 13);
 		A = GG(A, B, C, D, tmp[3], 3);
 		D = GG(D, A, B, C, tmp[7], 5);
 		C = GG(C, D, A, B, tmp[11], 9);
 		B = GG(B, C, D, A, tmp[15], 13);
 		A = HH(A, B, C, D, tmp[0], 3);
 		D = HH(D, A, B, C, tmp[8], 9);
 		C = HH(C, D, A, B, tmp[4], 11);
 		B = HH(B, C, D, A, tmp[12], 15);
 		A = HH(A, B, C, D, tmp[2], 3);
 		D = HH(D, A, B, C, tmp[10], 9);
 		C = HH(C, D, A, B, tmp[6], 11);
 		B = HH(B, C, D, A, tmp[14], 15);
 		A = HH(A, B, C, D, tmp[1], 3);
 		D = HH(D, A, B, C, tmp[9], 9);
 		C = HH(C, D, A, B, tmp[5], 11);
 		B = HH(B, C, D, A, tmp[13], 15);
 		A = HH(A, B, C, D, tmp[3], 3);
 		D = HH(D, A, B, C, tmp[11], 9);
 		C = HH(C, D, A, B, tmp[7], 11);
 		B = HH(B, C, D, A, tmp[15], 15);
 		state[0] += A;
 		state[1] += B;
 		state[2] += C;
 		state[3] += D;
 	}
 	private int FF(int a, int b, int c, int d, int x, int s) {
 		int t = a + ((b & c) | (~b & d)) + x;
 		return t << s | t >>> (32 - s);
 	}
 	private int GG(int a, int b, int c, int d, int x, int s) {
 		int t = a + ((b & (c | d)) | (c & d)) + x + 0x5A827999;
 		return t << s | t >>> (32 - s);
 	}
 	private int HH(int a, int b, int c, int d, int x, int s) {
 		int t = a + (b ^ c ^ d) + x + 0x6ED9EBA1;
 		return t << s | t >>> (32 - s);
 	}
 }
--- a/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java
@ -1,86 +0,0 @@
 /*
 * Copyright 2004, 2005, 2006, 2007 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.springframework.security.authentication.encoding;
 import java.util.Base64;
 import org.springframework.security.crypto.codec.Hex;
 import org.springframework.security.crypto.codec.Utf8;
 /**
 * MD4 implementation of PasswordEncoder.
 * <p>
 * If a <code>null</code> password is presented, it will be treated as an empty
 * <code>String</code> ("") password.
 * <p>
 * As MD4 is a one-way hash, the salt can contain any characters.
 * <p>
 * <b>NOTE:</b> This password encoder is only included for backwards compatability with
 * legacy applications, it's not secure, don't use it for anything new!
 *
 * @author Alan Stewart
 */
 public class Md4PasswordEncoder extends BaseDigestPasswordEncoder {
 	// ~ Methods
 	// ========================================================================================================
 	/**
 	 * Encodes the rawPass using an MD4 message digest. If a salt is specified it will be
 	 * merged with the password before encoding.
 	 *
 	 * @param rawPass The plain text password
 	 * @param salt The salt to sprinkle
 	 * @return Hex string of password digest (or base64 encoded string if
 	 * encodeHashAsBase64 is enabled.
 	 */
 	public String encodePassword(String rawPass, Object salt) {
 		String saltedPass = mergePasswordAndSalt(rawPass, salt, false);
 		byte[] passBytes = Utf8.encode(saltedPass);
 		Md4 md4 = new Md4();
 		md4.update(passBytes, 0, passBytes.length);
 		byte[] resBuf = md4.digest();
 		if (getEncodeHashAsBase64()) {
 			return Utf8.decode(Base64.getEncoder().encode(resBuf));
 		}
 		else {
 			return new String(Hex.encode(resBuf));
 		}
 	}
 	/**
 	 * Takes a previously encoded password and compares it with a raw password after
 	 * mixing in the salt and encoding that value.
 	 *
 	 * @param encPass previously encoded password
 	 * @param rawPass plain text password
 	 * @param salt salt to mix into password
 	 * @return true or false
 	 */
 	public boolean isPasswordValid(String encPass, String rawPass, Object salt) {
 		String pass1 = "" + encPass;
 		String pass2 = encodePassword(rawPass, salt);
 		return PasswordEncoderUtils.equals(pass1, pass2);
 	}
 	public String getAlgorithm() {
 		return "MD4";
 	}
 }
--- a/core/src/test/java/org/springframework/security/authentication/encoding/Md4PasswordEncoderTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/encoding/Md4PasswordEncoderTests.java
@ -1,86 +0,0 @@
 /*
 * Copyright 2004, 2005, 2006, 2007 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.springframework.security.authentication.encoding;
 import static org.assertj.core.api.Assertions.assertThat;
 import org.junit.Test;
 public class Md4PasswordEncoderTests {
 	@Test
 	public void testEncodeUnsaltedPassword() {
 		Md4PasswordEncoder md4 = new Md4PasswordEncoder();
 		md4.setEncodeHashAsBase64(true);
 		String encodedPassword = md4.encodePassword("ww_uni123", null);
 		assertThat(encodedPassword).isEqualTo("8zobtq72iAt0W6KNqavGwg==");
 	}
 	@Test
 	public void testEncodeSaltedPassword() {
 		Md4PasswordEncoder md4 = new Md4PasswordEncoder();
 		md4.setEncodeHashAsBase64(true);
 		String encodedPassword = md4.encodePassword("ww_uni123", "Alan K Stewart");
 		assertThat(encodedPassword).isEqualTo("ZplT6P5Kv6Rlu6W4FIoYNA==");
 	}
 	@Test
 	public void testEncodeNullPassword() {
 		Md4PasswordEncoder md4 = new Md4PasswordEncoder();
 		md4.setEncodeHashAsBase64(true);
 		String encodedPassword = md4.encodePassword(null, null);
 		assertThat(encodedPassword).isEqualTo("MdbP4NFq6TG3PFnX4MCJwA==");
 	}
 	@Test
 	public void testEncodeEmptyPassword() {
 		Md4PasswordEncoder md4 = new Md4PasswordEncoder();
 		md4.setEncodeHashAsBase64(true);
 		String encodedPassword = md4.encodePassword("", null);
 		assertThat(encodedPassword).isEqualTo("MdbP4NFq6TG3PFnX4MCJwA==");
 	}
 	@Test
 	public void testNonAsciiPasswordHasCorrectHash() {
 		Md4PasswordEncoder md4 = new Md4PasswordEncoder();
 		String encodedPassword = md4.encodePassword("\u4F60\u597d", null);
 		assertThat(encodedPassword).isEqualTo("a7f1196539fd1f85f754ffd185b16e6e");
 	}
 	@Test
 	public void testIsHexPasswordValid() {
 		Md4PasswordEncoder md4 = new Md4PasswordEncoder();
 		assertThat(md4.isPasswordValid("31d6cfe0d16ae931b73c59d7e0c089c0", "",
 				null)).isTrue();
 	}
 	@Test
 	public void testIsPasswordValid() {
 		Md4PasswordEncoder md4 = new Md4PasswordEncoder();
 		md4.setEncodeHashAsBase64(true);
 		assertThat(md4.isPasswordValid("8zobtq72iAt0W6KNqavGwg==", "ww_uni123",
 				null)).isTrue();
 	}
 	@Test
 	public void testIsSaltedPasswordValid() {
 		Md4PasswordEncoder md4 = new Md4PasswordEncoder();
 		md4.setEncodeHashAsBase64(true);
 		assertThat(md4.isPasswordValid("ZplT6P5Kv6Rlu6W4FIoYNA==", "ww_uni123",
 				"Alan K Stewart")).isTrue();
 	}
 }