Make timing attacks against the Realm implementations harder. (schultz)

git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk@1758501 13f79535-47bb-0310-9956-ffa450edef68

Author: markt-asf

java/org/apache/catalina/realm/DataSourceRealm.java

@@ -303,6 +303,8 @@ protected Principal authenticate(Connection dbConnection,
 
         if(dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure",

java/org/apache/catalina/realm/JDBCRealm.java

@@ -384,6 +384,8 @@ public synchronized Principal authenticate(Connection dbConnection,
 
         if (dbCredentials == null) {
             // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",

java/org/apache/catalina/realm/MemoryRealm.java

@@ -125,7 +125,9 @@ public Principal authenticate(String username, String credentials) {
         GenericPrincipal principal = principals.get(username);
 
         if(principal == null || principal.getPassword() == null) {
-            // User was not found in the database of the password was null
+            // User was not found in the database or the password was null
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (log.isDebugEnabled())
                 log.debug(sm.getString("memoryRealm.authenticateFailure", username));

java/org/apache/catalina/realm/RealmBase.java

@@ -488,6 +488,8 @@ public Principal authenticate(String username, String credentials) {
 
         if (serverCredentials == null) {
             // User was not found
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
 
             if (containerLog.isTraceEnabled()) {
                 containerLog.trace(sm.getString("realmBase.authenticateFailure",

webapps/docs/changelog.xml

@@ -200,6 +200,9 @@
         of the web.xml file where specified or UTF-8 where no explicit encoding
         is specified. (markt)
       </fix>
+      <fix>
+        Make timing attacks against the Realm implementations harder. (schultz)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">