MD5 passwords broken after upgrade to 1.9 #1335
Description
The upgrade process which changes password encryption from MD5 to PBKDF2 is broken, and breaks existing passwords after the first login.
If you log in, and log out, you will never log in again.
If you log in and change your password, it works ok.
The bug happens here in the authentication manager:
protected UserModel authenticateLocal(UserModel user, char [] password) {
UserModel returnedUser = null;
PasswordHash pwdHash = PasswordHash.instanceFor(user.password);
if (pwdHash != null) {
if (pwdHash.matches(user.password, password, user.username)) {
returnedUser = user;
}
} else if (user.password.equals(new String(password))) {
// plain-text password
returnedUser = user;
}
// validate user
returnedUser = validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS);
// try to upgrade the stored password hash to a stronger hash, if necessary
upgradeStoredPassword(returnedUser, password, pwdHash);
return returnedUser;
}
The upgradeStoredPassword resets the password using the 'password' char array. However, the
pwdHash.matches implementation in PasswordHash blanks out the char array:
public boolean matches(String hashedEntry, char[] password, String username) {
if (hashedEntry == null || type != PasswordHash.getEntryType(hashedEntry)) return false;
if (password == null) return false;
String hashed = toHashedEntry(password, username);
Arrays.fill(password, Character.MIN_VALUE);
return hashed.equalsIgnoreCase(hashedEntry);
}