Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

439507 - Possible timing side-channel when comparing MD5-Credentials 

+ Using correct digestMismatch logic
+ Fixing test cases:
  + No longer reuses / shares directories
  + Is now Windows build/test compatible
  + No longer deleteOnExit() the test data
    (let maven clean and/or test init do that)
  + Empty directories are now verified
  + Using server.getURI() instead of URL string manipulation
This commit is contained in:
Joakim Erdfelt 2014-07-17 17:55:22 -07:00
parent e39adb337f
commit c4c8426069
5 changed files with 60 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
View File

@ -160,19 +160,19 @@ public abstract class Credential implements Serializable
digest = __md.digest(); digest = __md.digest();
} }
if (digest == null || digest.length != _digest.length) return false; if (digest == null || digest.length != _digest.length) return false;
boolean match=true; boolean digestMismatch = false;
for (int i = 0; i < digest.length; i++) for (int i = 0; i < digest.length; i++)
match&=digest[i] != _digest[i]; digestMismatch |= (digest[i] != _digest[i]);
return match; return !digestMismatch;
} }
else if (credentials instanceof MD5) else if (credentials instanceof MD5)
{ {
MD5 md5 = (MD5) credentials; MD5 md5 = (MD5) credentials;
if (_digest.length != md5._digest.length) return false; if (_digest.length != md5._digest.length) return false;
boolean match=true; boolean digestMismatch = false;
for (int i = 0; i < _digest.length; i++) for (int i = 0; i < _digest.length; i++)
match&=(_digest[i] != md5._digest[i]); digestMismatch |= (_digest[i] != md5._digest[i]);
return match; return !digestMismatch;
} }
else if (credentials instanceof Credential) else if (credentials instanceof Credential)
{ {

34
tests/test-loginservice/src/test/java/org/eclipse/jetty/DataSourceLoginServiceTest.java
View File

@ -28,7 +28,6 @@ import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.Statement; import java.sql.Statement;
import javax.naming.NamingException;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.apache.derby.jdbc.EmbeddedDataSource; import org.apache.derby.jdbc.EmbeddedDataSource;
@ -37,9 +36,8 @@ import org.eclipse.jetty.client.api.AuthenticationStore;
import org.eclipse.jetty.client.api.ContentResponse; import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.client.util.BasicAuthentication; import org.eclipse.jetty.client.util.BasicAuthentication;
import org.eclipse.jetty.plus.security.DataSourceLoginService; import org.eclipse.jetty.plus.security.DataSourceLoginService;
import org.eclipse.jetty.security.JDBCLoginService; import org.eclipse.jetty.toolchain.test.FS;
import org.eclipse.jetty.security.LoginService; import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.Loader; import org.eclipse.jetty.util.Loader;
import org.eclipse.jetty.util.thread.QueuedThreadPool; import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.junit.AfterClass; import org.junit.AfterClass;
@ -58,40 +56,34 @@ public class DataSourceLoginServiceTest
private static File _dbRoot; private static File _dbRoot;
private static HttpClient _client; private static HttpClient _client;
private static String __realm = "DSRealm"; private static String __realm = "DSRealm";
private static String _baseUrl; private static URI _baseUri;
private static final int __cacheInterval = 200; private static final int __cacheInterval = 200;
private static DatabaseLoginServiceTestServer _testServer; private static DatabaseLoginServiceTestServer _testServer;
@BeforeClass @BeforeClass
public static void setUp() throws Exception public static void setUp() throws Exception
{ {
_docRoot = new File("target/test-output/docroot/"); _docRoot = MavenTestingUtils.getTargetTestingDir(DataSourceLoginServiceTest.class.getSimpleName());
_docRoot.mkdirs(); FS.ensureEmpty(_docRoot);
_docRoot.deleteOnExit();
File content = new File(_docRoot,"input.txt"); File content = new File(_docRoot,"input.txt");
FileOutputStream out = new FileOutputStream(content); FileOutputStream out = new FileOutputStream(content);
out.write(_content.getBytes("utf-8")); out.write(_content.getBytes("utf-8"));
out.close(); out.close();
_dbRoot = new File("target/test-output/derby"); _dbRoot = new File(_docRoot, "derby");
String dbPath = _dbRoot.getAbsolutePath(); String dbPath = _dbRoot.getAbsolutePath();
System.setProperty("derby.system.home", dbPath); System.setProperty("derby.system.home", dbPath);
if (_dbRoot.exists()) FS.ensureEmpty(_dbRoot);
IO.delete(_dbRoot);
_dbRoot.mkdirs(); File scriptFile = MavenTestingUtils.getTestResourceFile("createdb.sql");
DatabaseLoginServiceTestServer.createDB(dbPath, scriptFile, "jdbc:derby:dstest;create=true");
DatabaseLoginServiceTestServer.createDB(dbPath, "src/test/resources/createdb.sql", "jdbc:derby:dstest;create=true");
_testServer = new DatabaseLoginServiceTestServer(); _testServer = new DatabaseLoginServiceTestServer();
_testServer.setResourceBase(_docRoot.getAbsolutePath()); _testServer.setResourceBase(_docRoot.getAbsolutePath());
_testServer.setLoginService(configureLoginService()); _testServer.setLoginService(configureLoginService());
_testServer.start(); _testServer.start();
_baseUrl = _testServer.getBaseUrl(); _baseUri = _testServer.getBaseUri();
} }
@AfterClass @AfterClass
@ -141,7 +133,7 @@ public class DataSourceLoginServiceTest
{ {
startClient("jetty", "jetty"); startClient("jetty", "jetty");
ContentResponse response = _client.GET(_baseUrl + "input.txt"); ContentResponse response = _client.GET(_baseUri.resolve("input.txt"));
assertEquals(HttpServletResponse.SC_OK,response.getStatus()); assertEquals(HttpServletResponse.SC_OK,response.getStatus());
assertEquals(_content, response.getContentAsString()); assertEquals(_content, response.getContentAsString());
@ -154,7 +146,7 @@ public class DataSourceLoginServiceTest
startClient("jetty", newpwd); startClient("jetty", newpwd);
response = _client.GET(_baseUrl + "input.txt"); response = _client.GET(_baseUri.resolve("input.txt"));
assertEquals(HttpServletResponse.SC_OK,response.getStatus()); assertEquals(HttpServletResponse.SC_OK,response.getStatus());
assertEquals(_content, response.getContentAsString()); assertEquals(_content, response.getContentAsString());
@ -185,7 +177,7 @@ public class DataSourceLoginServiceTest
executor.setName(executor.getName() + "-client"); executor.setName(executor.getName() + "-client");
_client.setExecutor(executor); _client.setExecutor(executor);
AuthenticationStore authStore = _client.getAuthenticationStore(); AuthenticationStore authStore = _client.getAuthenticationStore();
authStore.addAuthentication(new BasicAuthentication(URI.create(_baseUrl), __realm, user, pwd)); authStore.addAuthentication(new BasicAuthentication(_baseUri, __realm, user, pwd));
_client.start(); _client.start();
} }

28
tests/test-loginservice/src/test/java/org/eclipse/jetty/DatabaseLoginServiceTestServer.java
View File

@ -25,6 +25,7 @@ import java.io.FileInputStream;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.io.OutputStream; import java.io.OutputStream;
import java.net.URI;
import java.net.URLDecoder; import java.net.URLDecoder;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
@ -43,36 +44,37 @@ import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.LoginService; import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.authentication.BasicAuthenticator; import org.eclipse.jetty.security.authentication.BasicAuthenticator;
import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.NetworkConnector; import org.eclipse.jetty.server.NetworkConnector;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.handler.AbstractHandler; import org.eclipse.jetty.server.handler.AbstractHandler;
import org.eclipse.jetty.server.handler.HandlerCollection; import org.eclipse.jetty.server.handler.HandlerCollection;
import org.eclipse.jetty.servlet.DefaultServlet; import org.eclipse.jetty.servlet.DefaultServlet;
import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.toolchain.test.FS;
import org.eclipse.jetty.util.IO; import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.Loader; import org.eclipse.jetty.util.Loader;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.security.Constraint; import org.eclipse.jetty.util.security.Constraint;
/** /**
* DatabaseLoginServiceTestServer * DatabaseLoginServiceTestServer
*
*
*/ */
public class DatabaseLoginServiceTestServer public class DatabaseLoginServiceTestServer
{ {
private static final Logger LOG = Log.getLogger(DatabaseLoginServiceTestServer.class);
protected Server _server; protected Server _server;
protected static String _protocol; protected static String _protocol;
protected static String _baseUrl; protected static URI _baseUri;
protected LoginService _loginService; protected LoginService _loginService;
protected String _resourceBase; protected String _resourceBase;
protected TestHandler _handler; protected TestHandler _handler;
protected static String _requestContent; protected static String _requestContent;
protected static boolean createDB(String homeDir, String fileName, String dbUrl) protected static boolean createDB(String homeDir, File scriptFile, String dbUrl)
{ {
File scriptFile = new File(fileName);
try (FileInputStream fileStream = new FileInputStream(scriptFile)) try (FileInputStream fileStream = new FileInputStream(scriptFile))
{ {
Loader.loadClass(fileStream.getClass(), "org.apache.derby.jdbc.EmbeddedDriver").newInstance(); Loader.loadClass(fileStream.getClass(), "org.apache.derby.jdbc.EmbeddedDriver").newInstance();
@ -85,6 +87,7 @@ public class DatabaseLoginServiceTestServer
} }
catch (Exception e) catch (Exception e)
{ {
LOG.warn("Unable to create EmbeddedDriver",e);
return false; return false;
} }
} }
@ -116,12 +119,11 @@ public class DatabaseLoginServiceTestServer
baseRequest.setHandled(true); baseRequest.setHandled(true);
File file = new File(_resourcePath, URLDecoder.decode(request.getPathInfo())); File file = new File(_resourcePath, URLDecoder.decode(request.getPathInfo()));
file.getParentFile().mkdirs(); FS.ensureDirExists(file.getParentFile());
file.deleteOnExit();
out = new FileOutputStream(file); out = new FileOutputStream(file);
response.setStatus(HttpServletResponse.SC_CREATED); response.setStatus(HttpServletResponse.SC_CREATED);
} }
if (baseRequest.getMethod().equals("POST")) if (baseRequest.getMethod().equals("POST"))
@ -175,8 +177,8 @@ public class DatabaseLoginServiceTestServer
{ {
configureServer(); configureServer();
_server.start(); _server.start();
int port = ((NetworkConnector)_server.getConnectors()[0]).getLocalPort(); //_server.dumpStdErr();
_baseUrl = _protocol+"://localhost:"+port+ "/"; _baseUri = _server.getURI();
} }
public void stop() throws Exception public void stop() throws Exception
@ -184,9 +186,9 @@ public class DatabaseLoginServiceTestServer
_server.stop(); _server.stop();
} }
public String getBaseUrl() public URI getBaseUri()
{ {
return _baseUrl; return _baseUri;
} }
public TestHandler getTestHandler() public TestHandler getTestHandler()

49
tests/test-loginservice/src/test/java/org/eclipse/jetty/JdbcLoginServiceTest.java
View File

@ -38,6 +38,8 @@ import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.http.HttpStatus; import org.eclipse.jetty.http.HttpStatus;
import org.eclipse.jetty.security.JDBCLoginService; import org.eclipse.jetty.security.JDBCLoginService;
import org.eclipse.jetty.security.LoginService; import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.toolchain.test.FS;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.eclipse.jetty.util.IO; import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.thread.QueuedThreadPool; import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.junit.AfterClass; import org.junit.AfterClass;
@ -64,39 +66,38 @@ public class JdbcLoginServiceTest
private static File _docRoot; private static File _docRoot;
private static HttpClient _client; private static HttpClient _client;
private static String __realm = "JdbcRealm"; private static String __realm = "JdbcRealm";
private static String _baseUrl; private static URI _baseUri;
private static DatabaseLoginServiceTestServer _testServer; private static DatabaseLoginServiceTestServer _testServer;
@BeforeClass @BeforeClass
public static void setUp() throws Exception public static void setUp() throws Exception
{ {
_docRoot = new File("target/test-output/docroot/"); _docRoot = MavenTestingUtils.getTargetTestingDir(JdbcLoginServiceTest.class.getSimpleName());
_docRoot.mkdirs(); FS.ensureEmpty(_docRoot);
_docRoot.deleteOnExit();
File content = new File(_docRoot,"input.txt"); File content = new File(_docRoot,"input.txt");
FileOutputStream out = new FileOutputStream(content);
out.write(_content.getBytes("utf-8")); try (FileOutputStream out = new FileOutputStream(content))
out.close(); {
out.write(_content.getBytes("utf-8"));
}
File dbRoot = new File("target/test-output/derby"); File dbRoot = new File(_docRoot, "derby");
String dbPath = dbRoot.getAbsolutePath(); String dbPath = dbRoot.getAbsolutePath();
System.setProperty("derby.system.home", dbPath); System.setProperty("derby.system.home", dbPath);
if (dbRoot.exists()) FS.ensureEmpty(dbRoot);
IO.delete(dbRoot);
dbRoot.mkdirs(); File scriptFile = MavenTestingUtils.getTestResourceFile("createdb.sql");
DatabaseLoginServiceTestServer.createDB(dbPath, scriptFile, "jdbc:derby:jdbcrealm;create=true");
DatabaseLoginServiceTestServer.createDB(dbPath, "src/test/resources/createdb.sql", "jdbc:derby:jdbcrealm;create=true"); File jdbcRealmFile = MavenTestingUtils.getTestResourceFile("jdbcrealm.properties");
LoginService loginService = new JDBCLoginService(__realm, "./src/test/resources/jdbcrealm.properties");
LoginService loginService = new JDBCLoginService(__realm, jdbcRealmFile.getAbsolutePath());
_testServer = new DatabaseLoginServiceTestServer(); _testServer = new DatabaseLoginServiceTestServer();
_testServer.setResourceBase(_docRoot.getAbsolutePath()); _testServer.setResourceBase(_docRoot.getAbsolutePath());
_testServer.setLoginService(loginService); _testServer.setLoginService(loginService);
_testServer.start(); _testServer.start();
_baseUrl = _testServer.getBaseUrl(); _baseUri = _testServer.getBaseUri();
} }
@AfterClass @AfterClass
@ -117,7 +118,7 @@ public class JdbcLoginServiceTest
{ {
startClient(); startClient();
Request request = _client.newRequest(_baseUrl + "output.txt"); Request request = _client.newRequest(_baseUri.resolve("output.txt"));
request.method(HttpMethod.PUT); request.method(HttpMethod.PUT);
request.content(new BytesContentProvider(_content.getBytes())); request.content(new BytesContentProvider(_content.getBytes()));
ContentResponse response = request.send(); ContentResponse response = request.send();
@ -140,7 +141,7 @@ public class JdbcLoginServiceTest
{ {
startClient(); startClient();
ContentResponse response = _client.GET(_baseUrl + "input.txt"); ContentResponse response = _client.GET(_baseUri.resolve("input.txt"));
assertEquals(HttpServletResponse.SC_OK,response.getStatus()); assertEquals(HttpServletResponse.SC_OK,response.getStatus());
assertEquals(_content, response.getContentAsString()); assertEquals(_content, response.getContentAsString());
} }
@ -158,7 +159,7 @@ public class JdbcLoginServiceTest
{ {
startClient(); startClient();
Request request = _client.newRequest(_baseUrl + "input.txt"); Request request = _client.newRequest(_baseUri.resolve("input.txt"));
request.method(HttpMethod.HEAD); request.method(HttpMethod.HEAD);
ContentResponse response = request.send(); ContentResponse response = request.send();
int responseStatus = response.getStatus(); int responseStatus = response.getStatus();
@ -177,7 +178,7 @@ public class JdbcLoginServiceTest
{ {
startClient(); startClient();
Request request = _client.newRequest(_baseUrl + "test"); Request request = _client.newRequest(_baseUri.resolve("test"));
request.method(HttpMethod.POST); request.method(HttpMethod.POST);
request.content(new BytesContentProvider(_content.getBytes())); request.content(new BytesContentProvider(_content.getBytes()));
ContentResponse response = request.send(); ContentResponse response = request.send();
@ -198,7 +199,7 @@ public class JdbcLoginServiceTest
executor.setName(executor.getName() + "-client"); executor.setName(executor.getName() + "-client");
_client.setExecutor(executor); _client.setExecutor(executor);
AuthenticationStore authStore = _client.getAuthenticationStore(); AuthenticationStore authStore = _client.getAuthenticationStore();
authStore.addAuthentication(new BasicAuthentication(URI.create(_baseUrl), __realm, "jetty", "jetty")); authStore.addAuthentication(new BasicAuthentication(_baseUri, __realm, "jetty", "jetty"));
_client.start(); _client.start();
} }
@ -212,17 +213,13 @@ public class JdbcLoginServiceTest
} }
} }
protected HttpClient getClient() protected HttpClient getClient()
{ {
return _client; return _client;
} }
protected String getContent() protected String getContent()
{ {
return _content; return _content;
} }
} }

3
tests/test-loginservice/src/test/resources/jetty-logging.properties Normal file
View File

@ -0,0 +1,3 @@
org.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.StdErrLog
#org.eclipse.jetty.LEVEL=DEBUG
#org.eclipse.jetty.server.LEVEL=DEBUG