From 4fb2f4e04773bfd10685890846eae34099891507 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Thu, 5 Mar 2015 11:45:03 -0800 Subject: [PATCH] GUAC-1103: Allow unsalted passwords from external systems. --- .../security/PasswordEncryptionService.java | 13 ++++++++---- .../SHA256PasswordEncryptionService.java | 20 +++++++++---------- .../schema/001-create-schema.sql | 6 ++++-- .../schema/001-create-schema.sql | 6 ++++-- 4 files changed, 27 insertions(+), 18 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/PasswordEncryptionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/PasswordEncryptionService.java index ef3099468..2e78725ef 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/PasswordEncryptionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/PasswordEncryptionService.java @@ -30,11 +30,16 @@ public interface PasswordEncryptionService { /** * Creates a password hash based on the provided username, password, and - * salt. + * salt. If the provided salt is null, only the password itself is hashed. * - * @param password The password to hash. - * @param salt The salt to use when hashing the password. - * @return The generated password hash. + * @param password + * The password to hash. + * + * @param salt + * The salt to use when hashing the password, if any. + * + * @return + * The generated password hash. */ public byte[] createPasswordHash(String password, byte[] salt); diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/SHA256PasswordEncryptionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/SHA256PasswordEncryptionService.java index cfe5bc45f..577bdb0ef 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/SHA256PasswordEncryptionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/SHA256PasswordEncryptionService.java @@ -38,26 +38,26 @@ public class SHA256PasswordEncryptionService implements PasswordEncryptionServic try { - // Build salted password + // Build salted password, if a salt was provided StringBuilder builder = new StringBuilder(); builder.append(password); - builder.append(DatatypeConverter.printHexBinary(salt)); - // Hash UTF-8 bytes of salted password + if (salt != null) + builder.append(DatatypeConverter.printHexBinary(salt)); + + // Hash UTF-8 bytes of possibly-salted password MessageDigest md = MessageDigest.getInstance("SHA-256"); md.update(builder.toString().getBytes("UTF-8")); return md.digest(); } - // Should not happen - catch (UnsupportedEncodingException ex) { - throw new RuntimeException(ex); + // Throw hard errors if standard pieces of Java are missing + catch (UnsupportedEncodingException e) { + throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e); } - - // Should not happen - catch (NoSuchAlgorithmException ex) { - throw new RuntimeException(ex); + catch (NoSuchAlgorithmException e) { + throw new UnsupportedOperationException("Unexpected lack of SHA-256 support.", e); } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql index 5c23bfc90..0a50bb379 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql @@ -65,7 +65,9 @@ CREATE TABLE `guacamole_connection` ( -- -- Table of users. Each user has a unique username and a hashed password --- with corresponding salt. +-- with corresponding salt. Although the authentication system will always set +-- salted passwords, other systems may set unsalted passwords by simply not +-- providing the salt. -- CREATE TABLE `guacamole_user` ( @@ -73,7 +75,7 @@ CREATE TABLE `guacamole_user` ( `user_id` int(11) NOT NULL AUTO_INCREMENT, `username` varchar(128) NOT NULL, `password_hash` binary(32) NOT NULL, - `password_salt` binary(32) NOT NULL, + `password_salt` binary(32), PRIMARY KEY (`user_id`), UNIQUE KEY `username` (`username`) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/001-create-schema.sql b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/001-create-schema.sql index a52fefecc..4e4297693 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/001-create-schema.sql +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/001-create-schema.sql @@ -106,7 +106,9 @@ CREATE INDEX ON guacamole_connection(parent_id); -- -- Table of users. Each user has a unique username and a hashed password --- with corresponding salt. +-- with corresponding salt. Although the authentication system will always set +-- salted passwords, other systems may set unsalted passwords by simply not +-- providing the salt. -- CREATE TABLE guacamole_user ( @@ -114,7 +116,7 @@ CREATE TABLE guacamole_user ( user_id serial NOT NULL, username varchar(128) NOT NULL, password_hash bytea NOT NULL, - password_salt bytea NOT NULL, + password_salt bytea, PRIMARY KEY (user_id),